vcl/source/fontsubset/cff.cxx |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

New commits:
commit 45b0b47d114437198c9e0872d427576e6e7e6cc6
Author: Michael Stahl <mst...@redhat.com>
Date:   Tue Aug 5 12:50:05 2014 +0200

    fdo#81516: vcl: limit number of CFFs read from font
    
    Change-Id: I9928b9805169a2dbb41be669dc37617b30bc672b

diff --git a/vcl/source/fontsubset/cff.cxx b/vcl/source/fontsubset/cff.cxx
index 2ce3286..8293279 100644
--- a/vcl/source/fontsubset/cff.cxx
+++ b/vcl/source/fontsubset/cff.cxx
@@ -325,7 +325,7 @@ public:
     explicit CffSubsetterContext( const U8* pBasePtr, int nBaseLen);
     ~CffSubsetterContext( void);
 
-    void    initialCffRead( void);
+    bool    initialCffRead();
     bool    emitAsType1( class Type1Emitter&,
                 const sal_GlyphId* pGlyphIds, const U8* pEncoding,
                 GlyphWidth* pGlyphWidths, int nGlyphCount, FontSubsetInfo& );
@@ -1443,7 +1443,7 @@ CffGlobal::CffGlobal( void)
     // TODO; maFontMatrix.clear();
 }
 
-void CffSubsetterContext::initialCffRead( void)
+bool CffSubsetterContext::initialCffRead()
 {
     // get the CFFHeader
     mpReadPtr = mpBasePtr;
@@ -1501,7 +1501,11 @@ void CffSubsetterContext::initialCffRead( void)
 //      assert( mnFontDictBase == tellRel());
         mpReadPtr = mpBasePtr + mnFontDictBase;
         mnFDAryCount = (mpReadPtr[0]<<8) + mpReadPtr[1];
-        assert( mnFDAryCount < (int)(sizeof(maCffLocal)/sizeof(*maCffLocal)));
+        if (static_cast<size_t>(mnFDAryCount) >= SAL_N_ELEMENTS(maCffLocal))
+        {
+            SAL_INFO("vcl.fonts", "CffSubsetterContext: too many CFF in font");
+            return false;
+        }
 
         // read FDArray details to get access to the PRIVDICTs
         for( int i = 0; i < mnFDAryCount; ++i) {
@@ -1542,6 +1546,8 @@ void CffSubsetterContext::initialCffRead( void)
     }
 
     // ignore the Notices info
+
+    return true;
 }
 
 // get a cstring from a StringID
@@ -2176,14 +2182,16 @@ bool CffSubsetterContext::emitAsType1( Type1Emitter& 
rEmitter,
 bool FontSubsetInfo::CreateFontSubsetFromCff( GlyphWidth* pOutGlyphWidths )
 {
     CffSubsetterContext aCff( mpInFontBytes, mnInByteLength);
-    aCff.initialCffRead();
+    bool bRC = aCff.initialCffRead();
+    if (!bRC)
+        return bRC;
 
     // emit Type1 subset from the CFF input
     // TODO: also support CFF->CFF subsetting (when PDF-export and PS-printing 
need it)
     const bool bPfbSubset = (0 != (mnReqFontTypeMask & 
FontSubsetInfo::TYPE1_PFB));
     Type1Emitter aType1Emitter( mpOutFile, bPfbSubset);
     aType1Emitter.setSubsetName( mpReqFontName);
-    bool bRC = aCff.emitAsType1( aType1Emitter,
+    bRC = aCff.emitAsType1( aType1Emitter,
         mpReqGlyphIds, mpReqEncodedIds,
         pOutGlyphWidths, mnReqGlyphCount, *this);
     return bRC;
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to