[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - vcl/source
Caolán McNamara
caolanm at redhat.com
Thu Feb 8 12:26:44 UTC 2018
vcl/source/fontsubset/sft.cxx | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
New commits:
commit 358808aeb353e9d17e54c6255dd10be4a7517136
Author: Caolán McNamara <caolanm at redhat.com>
Date: Wed Feb 7 16:05:08 2018 +0000
stay within font bounds
Change-Id: Ie8ed610b71cb1b20963827c2be97155d2d8aa22c
Reviewed-on: https://gerrit.libreoffice.org/49371
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Michael Stahl <mstahl at redhat.com>
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 566226f1e1f0..37a1b14bfc6b 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1576,7 +1576,12 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
/* parse the tables */
for (i=0; i<(int)t->ntables; i++) {
int nIndex;
- tag = GetUInt32(t->ptr + tdoffset + 12, 16 * i);
+ const sal_uInt32 nStart = tdoffset + 12;
+ const sal_uInt32 nOffset = 16 * i;
+ if (nStart + nOffset + sizeof(sal_uInt32) <= static_cast<sal_uInt32>(t->fsize))
+ tag = GetUInt32(t->ptr + nStart, nOffset);
+ else
+ tag = static_cast<sal_uInt32>(-1);
switch( tag ) {
case T_maxp: nIndex = O_maxp; break;
case T_glyf: nIndex = O_glyf; break;
More information about the Libreoffice-commits
mailing list