diff options
author | Caolán McNamara <caolanm@redhat.com> | 2020-09-15 16:36:17 +0100 |
---|---|---|
committer | Xisco Fauli <xiscofauli@libreoffice.org> | 2020-09-16 14:02:57 +0200 |
commit | 33d63c77c12b949dca9121dd684978d12ae501c1 (patch) | |
tree | 1403f2eb5c9227c5ec3ffc36f9d2b89a80198660 /vcl | |
parent | 62680e9bec0a9a32659e9146e12e13d5fcafc0b4 (diff) |
ofz#25684 keep ParseCMAP within legal area
Change-Id: Iee18b5a9390b79efa67414ea2d229d2816c84e18
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/102756
Tested-by: Jenkins
Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/source/font/fontcharmap.cxx | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx index 7225f385ad56..9ba392935c60 100644 --- a/vcl/source/font/fontcharmap.cxx +++ b/vcl/source/font/fontcharmap.cxx @@ -150,6 +150,10 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, CmapResult& rResult ) continue; int nTmpOffset = GetUInt( p+4 ); + + if (nTmpOffset + 2 > nLength) + continue; + int nTmpFormat = GetUShort( pCmap + nTmpOffset ); if( nTmpFormat == 12 ) // 32bit code -> glyph map format nValue += 3; |