[Libreoffice-commits] core.git: vcl/source

Sat, 05 Mar 2022 05:50:51 -0800 

 vcl/source/fontsubset/sft.cxx |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

New commits:
commit 9cec15391b7dd9556a6fb78875ad7b3421b93ab1
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Sat Mar 5 10:03:43 2022 +0000
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Sat Mar 5 14:50:09 2022 +0100

    ofz: record less than 10 bytes is invalid
    
    Change-Id: Ie6b88efbc12b4c7fddb7459e50cba28fcbcf35fe
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131048
    Tested-by: Caolán McNamara <caol...@redhat.com>
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 794cdd59d7f8..875eeb96730e 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -354,11 +354,18 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const 
*ttf, sal_uInt32 glyphI
 
     const sal_uInt8* ptr = table + nGlyphOffset;
     const sal_uInt32 nMaxGlyphSize = nTableSize - nGlyphOffset;
+    constexpr sal_uInt32 nContourOffset = 10;
+    if (nMaxGlyphSize < nContourOffset)
+        return 0;
 
     const sal_Int16 numberOfContours = GetInt16(ptr, 
GLYF_numberOfContours_offset);
     if( numberOfContours <= 0 )             /*- glyph is not simple */
         return 0;
 
+    const sal_Int32 nMaxContours = (nMaxGlyphSize - nContourOffset)/2;
+    if (numberOfContours > nMaxContours)
+        return 0;
+
     if (metrics) {                                                    /*- 
GetCompoundTTOutline() calls this function with NULL metrics -*/
         metrics->xMin = GetInt16(ptr, GLYF_xMin_offset);
         metrics->yMin = GetInt16(ptr, GLYF_yMin_offset);
@@ -369,22 +376,19 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const 
*ttf, sal_uInt32 glyphI
 
     /* determine the last point and be extra safe about it. But probably this 
code is not needed */
     sal_uInt16 lastPoint=0;
-    const sal_Int32 nMaxContours = (nMaxGlyphSize - 10)/2;
-    if (numberOfContours > nMaxContours)
-        return 0;
     for (i=0; i<numberOfContours; i++)
     {
-        const sal_uInt16 t = GetUInt16(ptr, 10+i*2);
+        const sal_uInt16 t = GetUInt16(ptr, nContourOffset + i * 2);
         if (t > lastPoint)
             lastPoint = t;
     }
 
-    sal_uInt32 nInstLenOffset = 10 + numberOfContours * 2;
+    sal_uInt32 nInstLenOffset = nContourOffset + numberOfContours * 2;
     if (nInstLenOffset + 2 > nMaxGlyphSize)
         return 0;
     sal_uInt16 instLen = GetUInt16(ptr, nInstLenOffset);
 
-    sal_uInt32 nOffset = 10 + 2 * numberOfContours + 2 + instLen;
+    sal_uInt32 nOffset = nContourOffset + 2 * numberOfContours + 2 + instLen;
     if (nOffset > nMaxGlyphSize)
         return 0;
     const sal_uInt8* p = ptr + nOffset;

Reply via email to