core.git: vcl/inc

Tue, 27 May 2025 06:31:17 -0700 

 vcl/inc/font/TTFReader.hxx |   33 ++++++++++++++++++---------------
 1 file changed, 18 insertions(+), 15 deletions(-)

New commits:
commit 65fdd33cc49a667d3e212163fde99e3ce7433ab5
Author:     Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue May 27 12:01:49 2025 +0100
Commit:     Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue May 27 15:30:21 2025 +0200

    sanity check and clip number of records possible
    
    Change-Id: I5c6ded1087302aa9fe4bbe1ee252964a266f6957
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185896
    Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
    Tested-by: Jenkins

diff --git a/vcl/inc/font/TTFReader.hxx b/vcl/inc/font/TTFReader.hxx
index 717adc21cdb5..7e161abd2829 100644
--- a/vcl/inc/font/TTFReader.hxx
+++ b/vcl/inc/font/TTFReader.hxx
@@ -99,12 +99,25 @@ private:
     }
 
 public:
-    TableEntriesHandler(FontDataContainer const& rFontDataContainer, const 
char* pPosition,
-                        sal_uInt16 nNumberOfTables)
+    TableEntriesHandler(FontDataContainer const& rFontDataContainer)
         : mrFontDataContainer(rFontDataContainer)
-        , mpFirstPosition(pPosition)
-        , mnNumberOfTables(nNumberOfTables)
     {
+        const char* pData = mrFontDataContainer.getPointer();
+        assert(mrFontDataContainer.size() >= sizeof(TableDirectory));
+        mpFirstPosition = pData + sizeof(TableDirectory);
+
+        const TableDirectory* pDirectory = reinterpret_cast<const 
TableDirectory*>(pData);
+        mnNumberOfTables = pDirectory->nNumberOfTables;
+
+        size_t nAvailableData = mrFontDataContainer.size() - 
sizeof(TableDirectory);
+        size_t nMaxRecordsPossible = nAvailableData / 
sizeof(TableDirectoryEntry);
+        if (mnNumberOfTables > nMaxRecordsPossible)
+        {
+            SAL_WARN("vcl.fonts", "Font claimed to have " << mnNumberOfTables
+                                                          << " table records, 
but only space for "
+                                                          << 
nMaxRecordsPossible);
+            mnNumberOfTables = nMaxRecordsPossible;
+        }
     }
 
     const TableDirectoryEntry* getEntry(sal_uInt32 nTag)
@@ -171,11 +184,6 @@ public:
     {
     }
 
-    const TableDirectory* getTableDirector()
-    {
-        return reinterpret_cast<const 
TableDirectory*>(mrFontDataContainer.getPointer());
-    }
-
     std::unique_ptr<TableEntriesHandler> getTableEntriesHandler()
     {
         size_t nSize = mrFontDataContainer.size();
@@ -184,12 +192,7 @@ public:
             SAL_WARN("vcl.fonts", "Font Data shorter than a TableDirectory");
             return nullptr;
         }
-        const char* pPosition = mrFontDataContainer.getPointer() + 
sizeof(TableDirectory);
-
-        auto* pDirectory = getTableDirector();
-        std::unique_ptr<TableEntriesHandler> pHandler(
-            new TableEntriesHandler(mrFontDataContainer, pPosition, 
pDirectory->nNumberOfTables));
-        return pHandler;
+        return std::make_unique<TableEntriesHandler>(mrFontDataContainer);
     }
 
     /** Gets the string from a name table */

Reply via email to