diff options
author | Caolán McNamara <caolanm@redhat.com> | 2020-09-15 16:36:17 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2020-09-24 13:12:51 +0200 |
commit | 5fec456a765f09337f39b94166bce28668438205 (patch) | |
tree | 61b16bac16c4710ee08b1fedd215d7ec96383cef | |
parent | a37173b6a14d2ab5a76edc2623dc8f7c954558c4 (diff) |
ofz#25684 keep ParseCMAP within legal area
Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102776
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit a014c82522834c972e247a28d8e5f42998ae3c0e)
ofz#25696 OOM
Change-Id: Ia69e9ce1ca0156e960dddb7e0bf98dfd2be2d7cc
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102846
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit d57b14e3394b081adf0888ed8dcb7b86d66c246c)
ofz#25774 keep ParseCMAP within legal area
Change-Id: Ic68fadd3d63631cbccda76e7679d95bb89452d25
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103017
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit f8474367449a1b6b54918d2753e3a36798761839)
Fix crash from broken font CMAP subtable
ParseCMAP crashes on a broken CMAP subtable of a font used by the
bugdoc of tdf#119074, which returns a negative offset (technically
it's large positive offset turning into a wrong negative integer,
which is still out of bounds of the CMAP overall size - you get
the point). This simply ignores that broken subtable, checking for
other existing ones.
Regressed-by: c7482bc2904401e7d975b5721ec861b8589253f9
Change-Id: I95820fe3bb6bd2fe2e0cf9d4c3536abce31fd497
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103033
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 9bf4c5ac49b73cc2a8c89a87ff87238c061a579d)
Missing include
(for std::max, since f8474367449a1b6b54918d2753e3a36798761839 "ofz#25774 keep
ParseCMAP within legal area")
Change-Id: I873c788577e9ec3bd54d9e637d2cf86be7c1f6e6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103089
Tested-by: Jenkins
Reviewed-by: Stephan Bergmann <sbergman@redhat.com>
(cherry picked from commit 8cc52b05744443c64cf5eb62ebe3098cd964c437)
ofz#25855 overflow in nTmpOffset
we already know nLength is >= 24 so just move the calc to the other term
Change-Id: Ic52f1686ccf81e6b13d7eb7e74dbd9cb51c8ea01
ofz#25868 Timeout, encoding conversion only sane in 0..SAL_MAX_UINT16 range
so ignore points outside that range to avoid ludicrous ranges that aren't
possible in the input encoding
Change-Id: Ifb7b9b389d4a31b8820a7da661249223fe1e110c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103261
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
-rw-r--r-- | vcl/source/font/fontcharmap.cxx | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx index 9c8b54682041..92760875b647 100644 --- a/vcl/source/font/fontcharmap.cxx +++ b/vcl/source/font/fontcharmap.cxx @@ -21,6 +21,7 @@ #include <rtl/textenc.h> #include <sal/log.hxx> +#include <algorithm> #include <vector> #include <set> @@ -150,6 +151,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) continue; int nTmpOffset = GetUInt( p+4 ); + + if (nTmpOffset > nLength - 2 || nTmpOffset < 0) + continue; + int nTmpFormat = GetUShort( pCmap + nTmpOffset ); if( nTmpFormat == 12 ) // 32bit code -> glyph map format nValue += 3; @@ -179,12 +184,29 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) { int nSegCountX2 = GetUShort( pCmap + nOffset + 6 ); nRangeCount = nSegCountX2/2 - 1; - pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; - pStartGlyphs = new int[ nRangeCount ]; + if (nRangeCount < 0) + { + SAL_WARN("vcl.gdi", "negative RangeCount"); + nRangeCount = 0; + } + const unsigned char* pLimitBase = pCmap + nOffset + 14; const unsigned char* pBeginBase = pLimitBase + nSegCountX2 + 2; const unsigned char* pDeltaBase = pBeginBase + nSegCountX2; const unsigned char* pOffsetBase = pDeltaBase + nSegCountX2; + + const int nOffsetBaseStart = pOffsetBase - pCmap; + const int nRemainingLen = nLength - nOffsetBaseStart; + const int nMaxPossibleRangeOffsets = nRemainingLen / 2; + if (nRangeCount > nMaxPossibleRangeOffsets) + { + SAL_WARN("vcl.gdi", "more range offsets requested then space available"); + nRangeCount = std::max(0, nMaxPossibleRangeOffsets); + } + + pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; + pStartGlyphs = new int[ nRangeCount ]; + sal_UCS4* pCP = pCodePairs; for( int i = 0; i < nRangeCount; ++i ) { @@ -244,7 +266,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) if (nRangeCount > nMaxPossiblePairs) { SAL_WARN("vcl.gdi", "more code pairs requested then space available"); - nRangeCount = nMaxPossiblePairs; + nRangeCount = std::max(0, nMaxPossiblePairs); } pCodePairs = new sal_UCS4[ nRangeCount * 2 ]; @@ -318,7 +340,9 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) { sal_UCS4 cMin = *(pCP++); sal_UCS4 cEnd = *(pCP++); - while( cMin < cEnd ) + // ofz#25868 the conversion only makes sense with + // input codepoints in 0..SAL_MAX_UINT16 range + while (cMin < cEnd && cMin <= SAL_MAX_UINT16) { int j = 0; for(; (cMin < cEnd) && (j < NINSIZE); ++cMin ) |