summaryrefslogtreecommitdiff
path: root/vcl
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2014-06-04 16:17:28 +0100
committerAndras Timar <andras.timar@collabora.com>2014-06-10 22:09:54 +0200
commitc1820243e9bbff8374481df32bd6952612267936 (patch)
tree8820d5ea1749bdc62b15c681235cb6f3066e0bec /vcl
parent9c4624f53961dc4f6822eb2dc2055dbefd7d1f4b (diff)
Resolves: fdo#78477 ensure offset + sizeof(value) is in bounds
a) ptr is just added to offset, so move addition into 2nd arg Change-Id: Ia3e8145c69324f19aeec8b0dd97284ec382d20d7 (cherry picked from commit 57ef375bed4480bbedc799aca274a6bd26745008) b) sort in order of increasing offset Change-Id: I0d2c880438f47f4527037d7ffaf77cf142d24751 (cherry picked from commit 95e92889d3fb0e8a85cefdeb07a02e57130a9799) c) fdo#78477 ensure offset + sizeof(value) is in bounds check that largest offset + value to read is inside available space Change-Id: I4feac37bdfbae5061b3b75ddf44bb20fc5904656 (cherry picked from commit c888c211072f23cfb4cc488c641d8d822f930a33) (cherry picked from commit 891e0f76350890a4dd4331820bde8c118ac06ab0) Reviewed-on: https://gerrit.libreoffice.org/9641 Tested-by: Michael Stahl <mstahl@redhat.com> Reviewed-by: Michael Stahl <mstahl@redhat.com>
Diffstat (limited to 'vcl')
-rw-r--r--vcl/source/fontsubset/sft.cxx23
1 files changed, 17 insertions, 6 deletions
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 868e9704282d..76f8abfe44d2 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -45,6 +45,7 @@
#ifndef NO_TYPE3 /* include CreateT3FromTTGlyphs() */
#include <rtl/crc.h>
#endif
+#include <rtl/ustring.hxx>
#include <osl/endian.h>
#include <algorithm>
@@ -2649,12 +2650,22 @@ int GetTTNameRecords(TrueTypeFont *ttf, NameRecord **nr)
NameRecord* rec = (NameRecord*)calloc(n, sizeof(NameRecord));
for (i = 0; i < n; i++) {
- int nStrOffset = GetUInt16(table + 6, 10 + 12 * i, 1);
- rec[i].platformID = GetUInt16(table + 6, 12 * i, 1);
- rec[i].encodingID = GetUInt16(table + 6, 2 + 12 * i, 1);
- rec[i].languageID = GetUInt16(table + 6, 4 + 12 * i, 1);
- rec[i].nameID = GetUInt16(table + 6, 6 + 12 * i, 1);
- rec[i].slen = GetUInt16(table + 6, 8 + 12 * i, 1);
+ int nLargestFixedOffsetPos = 6 + 10 + 12 * i;
+ int nMinSize = nLargestFixedOffsetPos + sizeof(sal_uInt16);
+ if (nMinSize > nTableSize)
+ {
+ SAL_WARN( "vcl.fonts", "Font " << OUString::createFromAscii(ttf->fname) << " claimed to have "
+ << n << " name records, but only space for " << i);
+ n = i;
+ break;
+ }
+
+ rec[i].platformID = GetUInt16(table, 6 + 0 + 12 * i, 1);
+ rec[i].encodingID = GetUInt16(table, 6 + 2 + 12 * i, 1);
+ rec[i].languageID = GetUInt16(table, 6 + 4 + 12 * i, 1);
+ rec[i].nameID = GetUInt16(table, 6 + 6 + 12 * i, 1);
+ rec[i].slen = GetUInt16(table, 6 + 8 + 12 * i, 1);
+ int nStrOffset = GetUInt16(table, nLargestFixedOffsetPos, 1);
if (rec[i].slen) {
if( nStrBase+nStrOffset+rec[i].slen >= nTableSize ) {
rec[i].sptr = 0;