[Libreoffice-commits] core.git: Branch 'libreoffice-6-4' - vcl/source
Caolán McNamara (via logerrit)
logerrit at kemper.freedesktop.org
Wed Sep 23 16:12:47 UTC 2020
vcl/source/font/fontcharmap.cxx | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
New commits:
commit 1e41300a9552f90b3d75d5ffadd31ae42a28d249
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Tue Sep 15 16:36:17 2020 +0100
Commit: Xisco Fauli <xiscofauli at libreoffice.org>
CommitDate: Wed Sep 23 18:12:14 2020 +0200
ofz#25684 keep ParseCMAP within legal area
Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102776
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit a014c82522834c972e247a28d8e5f42998ae3c0e)
ofz#25696 OOM
Change-Id: Ia69e9ce1ca0156e960dddb7e0bf98dfd2be2d7cc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102846
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit d57b14e3394b081adf0888ed8dcb7b86d66c246c)
ofz#25774 keep ParseCMAP within legal area
Change-Id: Ic68fadd3d63631cbccda76e7679d95bb89452d25
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103017
Tested-by: Caolán McNamara <caolanm at redhat.com>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit f8474367449a1b6b54918d2753e3a36798761839)
Fix crash from broken font CMAP subtable
ParseCMAP crashes on a broken CMAP subtable of a font used by the
bugdoc of tdf#119074, which returns a negative offset (technically
it's large positive offset turning into a wrong negative integer,
which is still out of bounds of the CMAP overall size - you get
the point). This simply ignores that broken subtable, checking for
other existing ones.
Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9
Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
(cherry picked from commit 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d)
Missing include
(for std::max, since f8474367449a1b6b54918d2753e3a36798761839 "ofz#25774 keep
ParseCMAP within legal area")
Change-Id: I873c788577e9ec3bd54d9e637d2cf86be7c1f6e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103089
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman at redhat.com>
(cherry picked from commit 8cc52b05744443c64cf5eb62ebe3098cd964c437)
ofz#25855 overflow in nTmpOffset
we already know nLength is >= 24 so just move the calc to the other term
Change-Id: Ic52f1686ccf81e6b13d7eb7e74dbd9cb51c8ea01
ofz#25868 Timeout, encoding conversion only sane in 0..SAL_MAX_UINT16 range
so ignore points outside that range to avoid ludicrous ranges that aren't
possible in the input encoding
Change-Id: Ifb7b9b389d4a31b8820a7da661249223fe1e110c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103261
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli at libreoffice.org>
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 9c8b54682041..92760875b647 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -21,6 +21,7 @@
#include <rtl/textenc.h>
#include <sal/log.hxx>
+#include <algorithm>
#include <vector>
#include <set>
@@ -150,6 +151,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
continue;
int nTmpOffset = GetUInt( p+4 );
+
+ if (nTmpOffset > nLength - 2 || nTmpOffset < 0)
+ continue;
+
int nTmpFormat = GetUShort( pCmap + nTmpOffset );
if( nTmpFormat == 12 ) // 32bit code -> glyph map format
nValue += 3;
@@ -179,12 +184,29 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
{
int nSegCountX2 = GetUShort( pCmap + nOffset + 6 );
nRangeCount = nSegCountX2/2 - 1;
- pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
- pStartGlyphs = new int[ nRangeCount ];
+ if (nRangeCount < 0)
+ {
+ SAL_WARN("vcl.gdi", "negative RangeCount");
+ nRangeCount = 0;
+ }
+
const unsigned char* pLimitBase = pCmap + nOffset + 14;
const unsigned char* pBeginBase = pLimitBase + nSegCountX2 + 2;
const unsigned char* pDeltaBase = pBeginBase + nSegCountX2;
const unsigned char* pOffsetBase = pDeltaBase + nSegCountX2;
+
+ const int nOffsetBaseStart = pOffsetBase - pCmap;
+ const int nRemainingLen = nLength - nOffsetBaseStart;
+ const int nMaxPossibleRangeOffsets = nRemainingLen / 2;
+ if (nRangeCount > nMaxPossibleRangeOffsets)
+ {
+ SAL_WARN("vcl.gdi", "more range offsets requested then space available");
+ nRangeCount = std::max(0, nMaxPossibleRangeOffsets);
+ }
+
+ pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
+ pStartGlyphs = new int[ nRangeCount ];
+
sal_UCS4* pCP = pCodePairs;
for( int i = 0; i < nRangeCount; ++i )
{
@@ -244,7 +266,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
if (nRangeCount > nMaxPossiblePairs)
{
SAL_WARN("vcl.gdi", "more code pairs requested then space available");
- nRangeCount = nMaxPossiblePairs;
+ nRangeCount = std::max(0, nMaxPossiblePairs);
}
pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
@@ -318,7 +340,9 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
{
sal_UCS4 cMin = *(pCP++);
sal_UCS4 cEnd = *(pCP++);
- while( cMin < cEnd )
+ // ofz#25868 the conversion only makes sense with
+ // input codepoints in 0..SAL_MAX_UINT16 range
+ while (cMin < cEnd && cMin <= SAL_MAX_UINT16)
{
int j = 0;
for(; (cMin < cEnd) && (j < NINSIZE); ++cMin )
More information about the Libreoffice-commits
mailing list