vcl/inc/font/TTFReader.hxx | 9 ++++++++-
vcl/source/font/EOTConverter.cxx | 2 ++
2 files changed, 10 insertions(+), 1 deletion(-)
New commits:
commit dee87890e57c5caa076e8fd3ab8567173d28062b
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue May 27 11:20:34 2025 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue May 27 14:08:17 2025 +0200
sanity check on TableDirectory length
Change-Id: Ibaa2fa09114db3dde97eaa93085718711eb676eb
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185892
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/vcl/inc/font/TTFReader.hxx b/vcl/inc/font/TTFReader.hxx
index 018a1adc47e7..717adc21cdb5 100644
--- a/vcl/inc/font/TTFReader.hxx
+++ b/vcl/inc/font/TTFReader.hxx
@@ -12,6 +12,7 @@
#include <font/TTFStructure.hxx>
#include <vcl/font/FontDataContainer.hxx>
#include <rtl/ustrbuf.hxx>
+#include <sal/log.hxx>
namespace font
{
@@ -177,9 +178,15 @@ public:
std::unique_ptr<TableEntriesHandler> getTableEntriesHandler()
{
- auto* pDirectory = getTableDirector();
+ size_t nSize = mrFontDataContainer.size();
+ if (nSize < sizeof(TableDirectory))
+ {
+ SAL_WARN("vcl.fonts", "Font Data shorter than a TableDirectory");
+ return nullptr;
+ }
const char* pPosition = mrFontDataContainer.getPointer() +
sizeof(TableDirectory);
+ auto* pDirectory = getTableDirector();
std::unique_ptr<TableEntriesHandler> pHandler(
new TableEntriesHandler(mrFontDataContainer, pPosition,
pDirectory->nNumberOfTables));
return pHandler;
diff --git a/vcl/source/font/EOTConverter.cxx b/vcl/source/font/EOTConverter.cxx
index d8b044dfc413..89b1199e2a40 100644
--- a/vcl/source/font/EOTConverter.cxx
+++ b/vcl/source/font/EOTConverter.cxx
@@ -79,6 +79,8 @@ bool EOTConverter::convert(std::vector<sal_uInt8>& rEotOutput)
pEot->nReserved4 = 0;
auto pHanlder = aFont.getTableEntriesHandler();
+ if (!pHanlder)
+ return false;
const font::OS2Table* pOS2 = pHanlder->getOS2Table();
if (pOS2)
