[Libreoffice-commits] core.git: 2 commits - vcl/generic vcl/source

Caolán McNamara caolanm at redhat.com
Fri Nov 28 08:59:18 PST 2014 

 vcl/generic/glyphs/gcach_layout.cxx |   14 +++++++-------
 vcl/source/fontsubset/sft.cxx       |   30 ++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 13 deletions(-)

New commits:
commit b2d3f9b5a12928127b476b10599069efea0ddcde
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Nov 28 16:53:22 2014 +0000

    coverity#1213364 Untrusted loop bound
    
    Change-Id: Ifa9912386d34c1bed40dd02d17e4e5402fc82592

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 2a33640..545222a 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -409,9 +409,9 @@ static int GetTTGlyphOutline(TrueTypeFont *, sal_uInt32 , ControlPoint **, TTGly
 /* returns the number of control points, allocates the pointArray */
 static int GetSimpleTTOutline(TrueTypeFont *ttf, sal_uInt32 glyphID, ControlPoint **pointArray, TTGlyphMetrics *metrics)
 {
-    const sal_uInt8* table = getTable( ttf, O_glyf );
+    const sal_uInt8* table = getTable(ttf, O_glyf);
+    const sal_uInt32 nTableSize = getTableSize(ttf, O_glyf);
     sal_uInt8 flag, n;
-    sal_uInt16 t, lastPoint=0;
     int i, j, z;
 
     *pointArray = 0;
@@ -434,14 +434,32 @@ static int GetSimpleTTOutline(TrueTypeFont *ttf, sal_uInt32 glyphID, ControlPoin
     }
 
     /* determine the last point and be extra safe about it. But probably this code is not needed */
-
+    sal_uInt16 lastPoint=0;
     for (i=0; i<numberOfContours; i++) {
-        if ((t = GetUInt16(ptr, 10+i*2, 1)) > lastPoint) lastPoint = t;
+        const sal_uInt16 t = GetUInt16(ptr, 10+i*2, 1);
+        if (t > lastPoint)
+            lastPoint = t;
     }
 
     sal_uInt16 instLen = GetUInt16(ptr, 10 + numberOfContours*2, 1);
-    const sal_uInt8* p = ptr + 10 + 2 * numberOfContours + 2 + instLen;
-    sal_uInt16 palen = lastPoint+1;
+
+    const sal_uInt32 nOffset = 10 + 2 * numberOfContours + 2 + instLen;
+    if (nOffset > nTableSize)
+        return 0;
+    const sal_uInt8* p = ptr + nOffset;
+
+    const sal_uInt32 nBytesRemaining = nTableSize - nOffset;
+    const sal_uInt16 palen = lastPoint+1;
+
+    //at a minimum its one byte per entry
+    if (palen > nBytesRemaining)
+    {
+        SAL_WARN("vcl.fonts", "Font " << OUString::createFromAscii(ttf->fname) <<
+            "claimed a palen of "
+            << palen << " but max bytes remaining is " << nBytesRemaining);
+        return 0;
+    }
+
     ControlPoint* pa = (ControlPoint*)calloc(palen, sizeof(ControlPoint));
 
     i = 0;
commit 33e8afd668a24285335e42fdcc5d894e046c5bba
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Fri Nov 28 16:55:56 2014 +0000

    Revert "Related: deb#766788 alloc on heap instead of stack"
    
    This reverts commit acdf54c4142b7a51b99eacacee470ac31d6ff0ae.
    
    Change-Id: I1c49a5baac3a3421d23926f4479e674ef46fbf34

diff --git a/vcl/generic/glyphs/gcach_layout.cxx b/vcl/generic/glyphs/gcach_layout.cxx
index 0c0bad2..abd04ba 100644
--- a/vcl/generic/glyphs/gcach_layout.cxx
+++ b/vcl/generic/glyphs/gcach_layout.cxx
@@ -372,7 +372,7 @@ bool HbLayoutEngine::layout(ServerFontLayout& rLayout, ImplLayoutArgs& rArgs)
 
     rLayout.Reserve(nGlyphCapacity);
 
-    std::unique_ptr<vcl::ScriptRun> xScriptRun(new vcl::ScriptRun(reinterpret_cast<const UChar *>(rArgs.mpStr), rArgs.mnLength));
+    vcl::ScriptRun aScriptRun(reinterpret_cast<const UChar *>(rArgs.mpStr), rArgs.mnLength);
 
     Point aCurrPos(0, 0);
     while (true)
@@ -385,21 +385,21 @@ bool HbLayoutEngine::layout(ServerFontLayout& rLayout, ImplLayoutArgs& rArgs)
         // Find script subruns.
         int nCurrentPos = nBidiMinRunPos;
         HbScriptRuns aScriptSubRuns;
-        while (xScriptRun->next())
+        while (aScriptRun.next())
         {
-            if (xScriptRun->getScriptStart() <= nCurrentPos && xScriptRun->getScriptEnd() > nCurrentPos)
+            if (aScriptRun.getScriptStart() <= nCurrentPos && aScriptRun.getScriptEnd() > nCurrentPos)
                 break;
         }
 
         while (nCurrentPos < nBidiEndRunPos)
         {
             int32_t nMinRunPos = nCurrentPos;
-            int32_t nEndRunPos = std::min(xScriptRun->getScriptEnd(), nBidiEndRunPos);
-            HbScriptRun aRun(nMinRunPos, nEndRunPos, xScriptRun->getScriptCode());
+            int32_t nEndRunPos = std::min(aScriptRun.getScriptEnd(), nBidiEndRunPos);
+            HbScriptRun aRun(nMinRunPos, nEndRunPos, aScriptRun.getScriptCode());
             aScriptSubRuns.push_back(aRun);
 
             nCurrentPos = nEndRunPos;
-            xScriptRun->next();
+            aScriptRun.next();
         }
 
         // RTL subruns should be reversed to ensure that final glyph order is
@@ -407,7 +407,7 @@ bool HbLayoutEngine::layout(ServerFontLayout& rLayout, ImplLayoutArgs& rArgs)
         if (bRightToLeft)
             std::reverse(aScriptSubRuns.begin(), aScriptSubRuns.end());
 
-        xScriptRun->reset();
+        aScriptRun.reset();
 
         for (HbScriptRuns::iterator it = aScriptSubRuns.begin(); it != aScriptSubRuns.end(); ++it)
         {

More information about the Libreoffice-commits mailing list