ofz#25774 keep ParseCMAP within legal area

Change-Id: Ic68fadd3d63631cbccda76e7679d95bb89452d25 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103017 Tested-by: Caolán McNamara <caolanm@redhat.com> Reviewed-by: Caolán McNamara <caolanm@redhat.com>
author: Caolán McNamara <caolanm@redhat.com> 2020-09-18 19:33:15 +0100
committer: Caolán McNamara <caolanm@redhat.com> 2020-09-18 22:24:36 +0200
commit: f8474367449a1b6b54918d2753e3a36798761839 (patch)
tree: 5092e9963d8c3eb3f24af049d4a57f8dcc2928a4 /vcl/source
parent: 489afd23ed8eff3b9df4c243b4e4c8fbc264b9d8 (diff)
1 files changed, 14 insertions, 3 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 2a4ca017e3e2..c66ddea45ea7 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -190,12 +190,23 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
             nRangeCount = 0;
         }
 
-        pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
-        pStartGlyphs = new int[ nRangeCount ];
         const unsigned char* pLimitBase = pCmap + nOffset + 14;
         const unsigned char* pBeginBase = pLimitBase + nSegCountX2 + 2;
         const unsigned char* pDeltaBase = pBeginBase + nSegCountX2;
         const unsigned char* pOffsetBase = pDeltaBase + nSegCountX2;
+
+        const int nOffsetBaseStart = pOffsetBase - pCmap;
+        const int nRemainingLen = nLength - nOffsetBaseStart;
+        const int nMaxPossibleRangeOffsets = nRemainingLen / 2;
+        if (nRangeCount > nMaxPossibleRangeOffsets)
+        {
+            SAL_WARN("vcl.gdi", "more range offsets requested then space available");
+            nRangeCount = std::max(0, nMaxPossibleRangeOffsets);
+        }
+
+        pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
+        pStartGlyphs = new int[ nRangeCount ];
+
         sal_UCS4* pCP = pCodePairs;
         for( int i = 0; i < nRangeCount; ++i )
         {
@@ -255,7 +266,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult )
         if (nRangeCount > nMaxPossiblePairs)
         {
             SAL_WARN("vcl.gdi", "more code pairs requested then space available");
-            nRangeCount = nMaxPossiblePairs;
+            nRangeCount = std::max(0, nMaxPossiblePairs);
         }
 
         pCodePairs = new sal_UCS4[ nRangeCount * 2 ];
author	Caolán McNamara <caolanm@redhat.com>	2020-09-18 19:33:15 +0100
committer	Caolán McNamara <caolanm@redhat.com>	2020-09-18 22:24:36 +0200
commit	f8474367449a1b6b54918d2753e3a36798761839 (patch)
tree	5092e9963d8c3eb3f24af049d4a57f8dcc2928a4 /vcl/source
parent	489afd23ed8eff3b9df4c243b4e4c8fbc264b9d8 (diff)