[Libreoffice-commits] core.git: vcl/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Tue Sep 22 18:37:37 UTC 2020
vcl/source/font/fontcharmap.cxx | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit a7c89adaa0f205aead3c0ad43c0113ff81ba1d98
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Tue Sep 22 16:43:01 2020 +0100
Commit: Caolán McNamara <caolanm at redhat.com>
CommitDate: Tue Sep 22 20:36:54 2020 +0200
ofz#25855 overflow in nTmpOffset
we already know nLength is >= 24 so just move the calc to the other term
Change-Id: Ic52f1686ccf81e6b13d7eb7e74dbd9cb51c8ea01
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103183
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm at redhat.com>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index d672c76c5f42..cf2c839ef8d5 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -153,7 +153,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
int nTmpOffset = GetUInt( p+4 );
- if (nTmpOffset + 2 > nLength || nTmpOffset < 0)
+ if (nTmpOffset > nLength - 2 || nTmpOffset < 0)
continue;
int nTmpFormat = GetUShort( pCmap + nTmpOffset );
More information about the Libreoffice-commits
mailing list