diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2014-06-06 10:07:11 +0100 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2014-06-06 10:07:26 +0100 |
| commit | 44f422048754c5fe3540750eec996c8a63bf6da4 (patch) | |
| tree | 63d1b95adeb658bae704ada6d663e93bceabe5ae /vcl | |
| parent | e990e4d145f16c0c7e4e9e12c4882ddde63a3d5a (diff) | |
use sfntLen in DumpSfnts to do some sanity checking
Change-Id: Ic3b196f925a1699f02ad9a5c1183ea767e3e91cf
Diffstat (limited to 'vcl')
| -rw-r--r-- | vcl/source/fontsubset/sft.cxx | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx index 2fdd6ea0e705..e2c136b9eb69 100644 --- a/vcl/source/fontsubset/sft.cxx +++ b/vcl/source/fontsubset/sft.cxx @@ -2091,7 +2091,6 @@ static void DumpSfnts(FILE *outf, sal_uInt8 *sfntP, sal_uInt32 sfntLen) assert(numTables <= 9); /* Type42 has 9 required tables */ sal_uInt32* offs = (sal_uInt32*)scalloc(numTables, sizeof(sal_uInt32)); -// sal_uInt32* lens = (sal_uInt32*)scalloc(numTables, sizeof(sal_uInt32)); fputs("/sfnts [", outf); HexFmtOpenString(h); @@ -2099,9 +2098,18 @@ static void DumpSfnts(FILE *outf, sal_uInt8 *sfntP, sal_uInt32 sfntLen) HexFmtBlockWrite(h, sfntP+12, 16 * numTables); /* stream out the Table Directory */ for (i=0; i<numTables; i++) { - sal_uInt32 tag = GetUInt32(sfntP + 12, 16 * i, 1); - sal_uInt32 off = GetUInt32(sfntP + 12, 16 * i + 8, 1); - sal_uInt32 len = GetUInt32(sfntP + 12, 16 * i + 12, 1); + sal_uInt32 nLargestFixedOffsetPos = 12 + 16 * i + 12; + sal_uInt32 nMinSize = nLargestFixedOffsetPos + sizeof(sal_uInt32); + if (nMinSize > sfntLen) + { + SAL_WARN( "vcl.fonts", "DumpSfnts claimed to have " + << numTables << " tables, but only space for " << i); + break; + } + + sal_uInt32 tag = GetUInt32(sfntP, 12 + 16 * i, 1); + sal_uInt32 off = GetUInt32(sfntP, 12 + 16 * i + 8, 1); + sal_uInt32 len = GetUInt32(sfntP, 12 + 16 * i + 12, 1); if (tag != T_glyf) { HexFmtBlockWrite(h, sfntP + off, len); |