From bb32616bdd6e3b327654bab0e1d790d8d50b893d Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 8 Feb 2018 17:38:59 +0000
Subject: bounds check

Change-Id: I6d32a6b6f1dd91db42a3f154700ea55603f0e4dd
---
 vcl/source/fontsubset/sft.cxx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'vcl/source/fontsubset')

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index a00fe2a7b779..d2423c3dcc89 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1502,7 +1502,7 @@ static int doOpenTTFont( sal_uInt32 facenum, TrueTypeFont* t )
         if (Version != 0x00010000 && Version != 0x00020000) {
             return SF_TTFORMAT;
         }
-        if (facenum >= GetUInt32(t->ptr, 8)) {
+        if (!withinBounds(8, 0, sizeof(sal_uInt32), t->fsize) || facenum >= GetUInt32(t->ptr, 8)) {
             return SF_FONTNO;
         }
         if (withinBounds(12, 4 * facenum, sizeof(sal_uInt32), t->fsize)) {
-- 
cgit v1.2.3