[Libreoffice-commits] core.git: vcl/source

Caolán McNamara (via logerrit) logerrit at kemper.freedesktop.org
Fri Sep 18 20:25:20 UTC 2020 

 vcl/source/font/fontcharmap.cxx |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

New commits:
commit f8474367449a1b6b54918d2753e3a36798761839
Author:     Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Sep 18 19:33:15 2020 +0100
Commit:     Caolán McNamara <caolanm at redhat.com>
CommitDate: Fri Sep 18 22:24:36 2020 +0200

    ofz#25774 keep ParseCMAP within legal area
    
    Change-Id: Ic68fadd3d63631cbccda76e7679d95bb89452d25
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103017
    Tested-by: Caolán McNamara <caolanm at redhat.com>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 2a4ca017e3e2..c66ddea45ea7 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -190,12 +190,23 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
             nRangeCount = 0;
         }
 
-        pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
-        pStartGlyphs = new int[ nRangeCount ];
         const unsigned char* pLimitBase = pCmap + nOffset + 14;
         const unsigned char* pBeginBase = pLimitBase + nSegCountX2 + 2;
         const unsigned char* pDeltaBase = pBeginBase + nSegCountX2;
         const unsigned char* pOffsetBase = pDeltaBase + nSegCountX2;
+
+        const int nOffsetBaseStart = pOffsetBase - pCmap;
+        const int nRemainingLen = nLength - nOffsetBaseStart;
+        const int nMaxPossibleRangeOffsets = nRemainingLen / 2;
+        if (nRangeCount > nMaxPossibleRangeOffsets)
+        {
+            SAL_WARN("vcl.gdi", "more range offsets requested then space available");
+            nRangeCount = std::max(0, nMaxPossibleRangeOffsets);
+        }
+
+        pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
+        pStartGlyphs = new int[ nRangeCount ];
+
         sal_UCS4* pCP = pCodePairs;
         for( int i = 0; i < nRangeCount; ++i )
         {
@@ -255,7 +266,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
         if (nRangeCount > nMaxPossiblePairs)
         {
             SAL_WARN("vcl.gdi", "more code pairs requested then space available");
-            nRangeCount = nMaxPossiblePairs;
+            nRangeCount = std::max(0, nMaxPossiblePairs);
         }
 
         pCodePairs = new sal_UCS4[ nRangeCount * 2 ];

More information about the Libreoffice-commits mailing list