[Libreoffice-commits] core.git: Branch 'libreoffice-7-0' - vcl/source

Caolán McNamara (via logerrit) Wed, 23 Sep 2020 02:12:53 -0700

 vcl/source/font/fontcharmap.cxx |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


New commits:
commit 40136386078ae0aac76806719899eb489cde28db
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Tue Sep 22 16:43:01 2020 +0100
Commit:     Michael Stahl <michael.st...@cib.de>
CommitDate: Wed Sep 23 11:12:06 2020 +0200

    ofz#25855 overflow in nTmpOffset
    
    we already know nLength is >= 24 so just move the calc to the other term
    
    Change-Id: Ic52f1686ccf81e6b13d7eb7e74dbd9cb51c8ea01
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/103186
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.st...@cib.de>

diff --git a/vcl/source/font/fontcharmap.cxx b/vcl/source/font/fontcharmap.cxx
index 027df3ce6df1..fcf0c2c64f52 100644
--- a/vcl/source/font/fontcharmap.cxx
+++ b/vcl/source/font/fontcharmap.cxx
@@ -151,7 +151,7 @@ bool ParseCMAP( const unsigned char* pCmap, int nLength, 
CmapResult& rResult )
 
         int nTmpOffset = GetUInt( p+4 );
 
-        if (nTmpOffset + 2 > nLength || nTmpOffset < 0)
+        if (nTmpOffset > nLength - 2 || nTmpOffset < 0)
             continue;
 
         int nTmpFormat = GetUShort( pCmap + nTmpOffset );
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] core.git: Branch 'libreoffice-7-0' - vcl/source

Reply via email to