[Libreoffice-commits] core.git: 2 commits - vcl/inc vcl/source

David Tardon dtardon at redhat.com
Mon Nov 3 12:50:02 PST 2014 

 vcl/inc/sft.hxx               |    2 +-
 vcl/source/fontsubset/sft.cxx |   41 +++++++++++++++++++++++++++--------------
 2 files changed, 28 insertions(+), 15 deletions(-)

New commits:
commit ca08fcbb90defb44456a5973bd1cc76b817d9a4f
Author: David Tardon <dtardon at redhat.com>
Date:   Mon Nov 3 19:55:02 2014 +0100

    coverity#1242811 untrusted pointer read
    
    Change-Id: I74c29a39367e7781e5e6cf9795c7176ef599f97e

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 711ef17..5d07368 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1067,7 +1067,7 @@ typedef struct _subHeader2 {
     sal_uInt16 idRangeOffset;
 } subHeader2;
 
-static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, sal_uInt32, sal_uInt32 c) {
+static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, const sal_uInt32 nMaxCmapSize, sal_uInt32 c) {
     sal_uInt16 *CMAP2 = (sal_uInt16 *) cmap;
     sal_uInt8 theHighByte;
 
@@ -1075,14 +1075,20 @@ static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, sal_uInt32, sal_uInt32 c) {
     subHeader2* subHeader2s;
     sal_uInt16* subHeader2Keys;
     sal_uInt16 firstCode;
-    int k;
+    int k = -1;
     sal_uInt32 ToReturn;
 
     theHighByte = (sal_uInt8)((c >> 8) & 0x00ff);
     theLowByte = (sal_uInt8)(c & 0x00ff);
     subHeader2Keys = CMAP2 + 3;
     subHeader2s = (subHeader2 *)(subHeader2Keys + 256);
-    k = Int16FromMOTA(subHeader2Keys[theHighByte]) / 8;
+    if(reinterpret_cast<sal_uInt8*>(&subHeader2Keys[theHighByte]) - cmap < nMaxCmapSize - 2)
+    {
+        k = Int16FromMOTA(subHeader2Keys[theHighByte]) / 8;
+        // check if the subheader record fits into available space
+        if((k >= 0) && (reinterpret_cast<sal_uInt8*>(&subHeader2s[k]) - cmap >= int(nMaxCmapSize - sizeof(subHeader2))))
+            k = -1;
+    }
 
     if(k == 0) {
         firstCode = Int16FromMOTA(subHeader2s[k].firstCode);
commit 0150921c3d898c9fd31e8312df1d717a4632d16d
Author: David Tardon <dtardon at redhat.com>
Date:   Mon Nov 3 19:42:09 2014 +0100

    coverity#1242806 untrusted pointer read
    
    Change-Id: Ib92e1a22d7d25f4498272731af12c485937f38ef

diff --git a/vcl/inc/sft.hxx b/vcl/inc/sft.hxx
index 6dae9de..5d0f493 100644
--- a/vcl/inc/sft.hxx
+++ b/vcl/inc/sft.hxx
@@ -564,7 +564,7 @@ namespace vcl
         sal_uInt32  numOfLongVerMetrics;                   /* if this number is not 0, font has vertical metrics information */
         const sal_uInt8* cmap;
         int         cmapType;
-        sal_uInt32 (*mapper)(const sal_uInt8 *, sal_uInt32); /* character to glyphID translation function                          */
+        sal_uInt32 (*mapper)(const sal_uInt8 *, sal_uInt32, sal_uInt32); /* character to glyphID translation function                          */
         const sal_uInt8   **tables;                        /* array of pointers to raw subtables in SFNT file                    */
         sal_uInt32  *tlens;                                /* array of table lengths                                             */
         int         kerntype;                              /* Defined in the KernType enum                                       */
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index cc13d17..711ef17 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1052,7 +1052,7 @@ enum cmapType {
  * getGlyph12() function and friends by:
  * @author HDU
  */
-static sal_uInt32 getGlyph0(const sal_uInt8* cmap, sal_uInt32 c) {
+static sal_uInt32 getGlyph0(const sal_uInt8* cmap, sal_uInt32, sal_uInt32 c) {
     if (c <= 255) {
         return *(cmap + 6 + c);
     } else {
@@ -1067,7 +1067,7 @@ typedef struct _subHeader2 {
     sal_uInt16 idRangeOffset;
 } subHeader2;
 
-static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, sal_uInt32 c) {
+static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, sal_uInt32, sal_uInt32 c) {
     sal_uInt16 *CMAP2 = (sal_uInt16 *) cmap;
     sal_uInt8 theHighByte;
 
@@ -1115,7 +1115,7 @@ static sal_uInt32 getGlyph2(const sal_uInt8 *cmap, sal_uInt32 c) {
     }
 }
 
-static sal_uInt32 getGlyph6(const sal_uInt8 *cmap, sal_uInt32 c) {
+static sal_uInt32 getGlyph6(const sal_uInt8 *cmap, sal_uInt32, sal_uInt32 c) {
     sal_uInt16 firstCode, lastCode, count;
     sal_uInt16 *CMAP6 = (sal_uInt16 *) cmap;
 
@@ -1150,7 +1150,7 @@ static sal_uInt16 GEbinsearch(sal_uInt16 *ar, sal_uInt16 length, sal_uInt16 toSe
     return (sal_uInt16)lastfound;
 }
 
-static sal_uInt32 getGlyph4(const sal_uInt8 *cmap, sal_uInt32 c) {
+static sal_uInt32 getGlyph4(const sal_uInt8 *cmap, const sal_uInt32 nMaxCmapSize, sal_uInt32 c) {
     sal_uInt16  i;
     int ToReturn;
     sal_uInt16  segCount;
@@ -1172,22 +1172,25 @@ static sal_uInt32 getGlyph4(const sal_uInt8 *cmap, sal_uInt32 c) {
     }
     startCode = endCode + segCount + 1;
 
-    if(Int16FromMOTA(startCode[i]) > c) {
+    if((reinterpret_cast<sal_uInt8*>(&startCode[i]) - cmap >= nMaxCmapSize - 2) || Int16FromMOTA(startCode[i]) > c) {
         return MISSING_GLYPH_INDEX;
     }
     idDelta = startCode + segCount;
     idRangeOffset = idDelta + segCount;
     /*glyphIndexArray = idRangeOffset + segCount;*/
 
-    if(Int16FromMOTA(idRangeOffset[i]) != 0) {
-        c = Int16FromMOTA(*(&(idRangeOffset[i]) + (Int16FromMOTA(idRangeOffset[i])/2 + (c - Int16FromMOTA(startCode[i])))));
+    if((reinterpret_cast<sal_uInt8*>(&idRangeOffset[i]) - cmap < nMaxCmapSize - 2) && Int16FromMOTA(idRangeOffset[i]) != 0) {
+        sal_uInt16 * pGlyphOffset = &(idRangeOffset[i]) + (Int16FromMOTA(idRangeOffset[i])/2 + (c - Int16FromMOTA(startCode[i])));
+        if(reinterpret_cast<sal_uInt8*>(pGlyphOffset) - cmap >= nMaxCmapSize - 2)
+            return MISSING_GLYPH_INDEX;
+        c = Int16FromMOTA(*pGlyphOffset);
     }
 
     ToReturn = (Int16FromMOTA(idDelta[i]) + c) & 0xFFFF;
     return ToReturn;
 }
 
-static sal_uInt32 getGlyph12(const sal_uInt8 *pCmap, sal_uInt32 cChar) {
+static sal_uInt32 getGlyph12(const sal_uInt8 *pCmap, sal_uInt32, sal_uInt32 cChar) {
     const sal_uInt32* pCMAP12 = (const sal_uInt32*)pCmap;
     int nLength = Int32FromMOTA( pCMAP12[1] );
     int nGroups = Int32FromMOTA( pCMAP12[3] );
@@ -2304,8 +2307,9 @@ int MapString(TrueTypeFont *ttf, sal_uInt16 *str, int nchars, sal_uInt16 *glyphA
         case CMAP_MS_Johab:     TranslateString16(str, cp, nchars); break;
     }
 
+    const sal_uInt32 nMaxCmapSize = ttf->ptr + ttf->fsize - ttf->cmap;
     for (i = 0; i < nchars; i++) {
-        cp[i] = (sal_uInt16)ttf->mapper(ttf->cmap, cp[i]);
+        cp[i] = (sal_uInt16)ttf->mapper(ttf->cmap, nMaxCmapSize, cp[i]);
         if (cp[i]!=0 && bvertical)
             cp[i] = (sal_uInt16)UseGSUB(ttf,cp[i]);
     }
@@ -2316,10 +2320,12 @@ sal_uInt16 MapChar(TrueTypeFont *ttf, sal_uInt16 ch, bool bvertical)
 {
     switch (ttf->cmapType) {
         case CMAP_MS_Symbol:
-
+        {
+            const sal_uInt32 nMaxCmapSize = ttf->ptr + ttf->fsize - ttf->cmap;
             if( ttf->mapper == getGlyph0 && ( ch & 0xf000 ) == 0xf000 )
                 ch &= 0x00ff;
-            return (sal_uInt16)ttf->mapper(ttf->cmap, ch );
+            return (sal_uInt16)ttf->mapper(ttf->cmap, nMaxCmapSize, ch );
+        }
 
         case CMAP_MS_Unicode:   break;
         case CMAP_MS_ShiftJIS:  ch = TranslateChar12(ch); break;
@@ -2329,7 +2335,8 @@ sal_uInt16 MapChar(TrueTypeFont *ttf, sal_uInt16 ch, bool bvertical)
         case CMAP_MS_Johab:     ch = TranslateChar16(ch); break;
         default:                return 0;
     }
-    ch = (sal_uInt16)ttf->mapper(ttf->cmap, ch);
+    const sal_uInt32 nMaxCmapSize = ttf->ptr + ttf->fsize - ttf->cmap;
+    ch = (sal_uInt16)ttf->mapper(ttf->cmap, nMaxCmapSize, ch);
     if (ch!=0 && bvertical)
         ch = (sal_uInt16)UseGSUB(ttf,ch);
     return ch;

More information about the Libreoffice-commits mailing list