vcl/source/fontsubset/sft.cxx | 42 +++++++++++++++++++++++++++++++++++++++---
1 file changed, 39 insertions(+), 3 deletions(-)
New commits:
commit fc6d3381da7555c7144b650d239ce1d88ce9026e
Author: Caolán McNamara <caol...@redhat.com>
AuthorDate: Wed Mar 2 09:04:00 2022 +0000
Commit: Caolán McNamara <caol...@redhat.com>
CommitDate: Wed Mar 2 15:40:54 2022 +0100
ofz: don't read past end of record
Change-Id: I9fced38faf46dce9f4cc2b96e351e7ae945d0ac1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/130823
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caol...@redhat.com>
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 00c46d3caf1f..e2ae8a450954 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -340,7 +340,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
{
sal_uInt32 nTableSize;
const sal_uInt8* table = ttf->table(O_glyf, nTableSize);
- sal_uInt8 flag, n;
+ sal_uInt8 n;
int i, j, z;
*pointArray = nullptr;
@@ -385,7 +385,7 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
return 0;
const sal_uInt8* p = ptr + nOffset;
- const sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset;
+ sal_uInt32 nBytesRemaining = nMaxGlyphSize - nOffset;
const sal_uInt32 palen = lastPoint+1;
//at a minimum its one byte per entry
@@ -401,10 +401,22 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
i = 0;
while (i <= lastPoint) {
- flag = *p++;
+ if (!nBytesRemaining)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
+ sal_uInt8 flag = *p++;
+ --nBytesRemaining;
pa[i++].flags = static_cast<sal_uInt32>(flag);
if (flag & 8) { /*- repeat flag */
+ if (!nBytesRemaining)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
n = *p++;
+ --nBytesRemaining;
// coverity[tainted_data : FALSE] - i > lastPoint extra checks the
n loop bound
for (j=0; j<n; j++) {
if (i > lastPoint) { /*- if the font is
really broken */
@@ -420,14 +432,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
z = 0;
for (i = 0; i <= lastPoint; i++) {
if (pa[i].flags & 0x02) {
+ if (!nBytesRemaining)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
if (pa[i].flags & 0x10) {
z += static_cast<int>(*p++);
} else {
z -= static_cast<int>(*p++);
}
+ --nBytesRemaining;
} else if ( !(pa[i].flags & 0x10)) {
+ if (nBytesRemaining < 2)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
z += GetInt16(p, 0);
p += 2;
+ nBytesRemaining -= 2;
}
pa[i].x = static_cast<sal_Int16>(z);
}
@@ -436,14 +460,26 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const
*ttf, sal_uInt32 glyphI
z = 0;
for (i = 0; i <= lastPoint; i++) {
if (pa[i].flags & 0x04) {
+ if (!nBytesRemaining)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
if (pa[i].flags & 0x20) {
z += *p++;
} else {
z -= *p++;
}
+ --nBytesRemaining;
} else if ( !(pa[i].flags & 0x20)) {
+ if (nBytesRemaining < 2)
+ {
+ SAL_WARN("vcl.fonts", "short read");
+ break;
+ }
z += GetInt16(p, 0);
p += 2;
+ nBytesRemaining -= 2;
}
pa[i].y = static_cast<sal_Int16>(z);
}
