From eb1d8f4abf22b627faf4fd0cf58a4f2e7fa317d2 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Wed, 7 Feb 2018 16:57:27 +0000
Subject: check kern table size

Change-Id: I65b5f0a8950d54c00d6fd7c385ca1c5dca2ef2c8
Reviewed-on: https://gerrit.libreoffice.org/49383
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Michael Stahl <mstahl@redhat.com>
---
 vcl/source/fontsubset/sft.cxx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'vcl/source')

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 1a4f5f16e4ef..b66324a5a730 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1348,7 +1348,7 @@ static void GetKern(TrueTypeFont *ttf)
     if( !table )
         goto badtable;
 
-    if (GetUInt16(table, 0) == 0) {                                /* Traditional Microsoft style table with sal_uInt16 version and nTables fields */
+    if (nTableSize >= 4 && GetUInt16(table, 0) == 0) { /* Traditional Microsoft style table with sal_uInt16 version and nTables fields */
         ttf->nkern = GetUInt16(table, 2);
         ptr = table + 4;
 
@@ -1379,7 +1379,7 @@ static void GetKern(TrueTypeFont *ttf)
         return;
     }
 
-    if (GetUInt32(table, 0) == 0x00010000) {                       /* MacOS style kern tables: fixed32 version and sal_uInt32 nTables fields */
+    if (nTableSize >= 8 && GetUInt32(table, 0) == 0x00010000) { /* MacOS style kern tables: fixed32 version and sal_uInt32 nTables fields */
         ttf->nkern = GetUInt32(table, 4);
         ptr = table + 8;
 
-- 
cgit v1.2.3