ofz#25684 keep ParseCMAP within legal area

Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102756 Tested-by: Jenkins Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
author: Caolán McNamara <caolanm@redhat.com> 2020-09-15 16:36:17 +0100
committer: Xisco Fauli <xiscofauli@libreoffice.org> 2020-09-16 14:02:57 +0200
commit: 33d63c77c12b949dca9121dd684978d12ae501c1 (patch)
tree: 1403f2eb5c9227c5ec3ffc36f9d2b89a80198660
parent: 62680e9bec0a9a32659e9146e12e13d5fcafc0b4 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 7225f385ad56..9ba392935c60 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -150,6 +150,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
             continue;
 
         int nTmpOffset = GetUInt( p+4 );
+
+        if (nTmpOffset + 2 > nLength)
+            continue;
+
         int nTmpFormat = GetUShort( pCmap + nTmpOffset );
         if( nTmpFormat == 12 )                  // 32bit code -> glyph map format
             nValue += 3;
author	Caolán McNamara <caolanm@redhat.com>	2020-09-15 16:36:17 +0100
committer	Xisco Fauli <xiscofauli@libreoffice.org>	2020-09-16 14:02:57 +0200
commit	33d63c77c12b949dca9121dd684978d12ae501c1 (patch)
tree	1403f2eb5c9227c5ec3ffc36f9d2b89a80198660
parent	62680e9bec0a9a32659e9146e12e13d5fcafc0b4 (diff)