ofz#45081 check font length

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130635 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> (cherry picked from commit 568753f4d867c4681b762b63f9b1254f56865da4) Change-Id: Ib8cea70652ae90403db3546c07d24a517b1ec93e
author: Caolán McNamara <caolanm@redhat.com> 2022-02-27 12:05:38 +0000
committer: Andras Timar <andras.timar@collabora.com> 2022-05-31 15:43:24 +0200
commit: 816201193e7852d8f92a3541354d2c423345c810 (patch)
tree: cbf5e4c82cc04b898767156e5353968675a87c85
parent: b44cb89951c302840edacb034bc4bd9e6f0e8412 (diff)
1 files changed, 27 insertions, 7 deletions
diff --git a/vcl/source/fontsubset/ttcr.cxx b/vcl/source/fontsubset/ttcr.cxx
index e78f6d01853b..44d53ff10a23 100644
--- a/vcl/source/fontsubset/ttcr.cxx
+++ b/vcl/source/fontsubset/ttcr.cxx
@@ -25,6 +25,7 @@
 
 #include "ttcr.hxx"
 #include "list.h"
+#include <sal/log.hxx>
 #include <string.h>
 
 namespace vcl
@@ -1288,14 +1289,21 @@ static void ProcessTables(TrueTypeCreator *tt)
     do {
         GlyphData *gd = static_cast<GlyphData *>(listCurrent(glyphlist));
 
-        if (gd->compflag) {                       /* re-number all components */
+        if (gd->compflag && gd->nbytes > 10) {    /* re-number all components */
             sal_uInt16 flags, index;
             sal_uInt8 *ptr = gd->ptr + 10;
+            size_t nRemaining = gd->nbytes - 10;
             do {
-                sal_uInt32 j;
+                if (nRemaining < 4)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
                 flags = GetUInt16(ptr, 0);
                 index = GetUInt16(ptr, 2);
+
                 /* XXX use the sorted array of old to new glyphID mapping and do a binary search */
+                sal_uInt32 j;
                 for (j = 0; j < nGlyphs; j++) {
                     if (gid[j] == index) {
                         break;
@@ -1306,20 +1314,32 @@ static void ProcessTables(TrueTypeCreator *tt)
                 PutUInt16(static_cast<sal_uInt16>(j), ptr, 2);
 
                 ptr += 4;
+                nRemaining -= 4;
 
+                sal_uInt32 nAdvance = 0;
                 if (flags & ARG_1_AND_2_ARE_WORDS) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else {
-                    ptr += 2;
+                    nAdvance += 2;
                 }
 
                 if (flags & WE_HAVE_A_SCALE) {
-                    ptr += 2;
+                    nAdvance += 2;
                 } else if (flags & WE_HAVE_AN_X_AND_Y_SCALE) {
-                    ptr += 4;
+                    nAdvance += 4;
                 } else if (flags & WE_HAVE_A_TWO_BY_TWO) {
-                    ptr += 8;
+                    nAdvance += 8;
                 }
+
+                if (nRemaining < nAdvance)
+                {
+                    SAL_WARN("vcl.fonts", "truncated font");
+                    break;
+                }
+
+                ptr += nAdvance;
+                nRemaining -= nAdvance;
+
             } while (flags & MORE_COMPONENTS);
         }
author	Caolán McNamara <caolanm@redhat.com>	2022-02-27 12:05:38 +0000
committer	Andras Timar <andras.timar@collabora.com>	2022-05-31 15:43:24 +0200
commit	816201193e7852d8f92a3541354d2c423345c810 (patch)
tree	cbf5e4c82cc04b898767156e5353968675a87c85
parent	b44cb89951c302840edacb034bc4bd9e6f0e8412 (diff)