vcl/inc/font/TTFReader.hxx | 36 +++++++++++++++++++++++++++++-------
1 file changed, 29 insertions(+), 7 deletions(-)
New commits:
commit cae28bbd3c9504f25a2910c5c75498d17fd618df
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue May 27 12:44:17 2025 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue May 27 16:37:39 2025 +0200
sanity check NameTable
Change-Id: I8eba80747511ac3114676be486337183315890e1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185903
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Tested-by: Jenkins
diff --git a/vcl/inc/font/TTFReader.hxx b/vcl/inc/font/TTFReader.hxx
index d45a1e2a6300..67973290b2bd 100644
--- a/vcl/inc/font/TTFReader.hxx
+++ b/vcl/inc/font/TTFReader.hxx
@@ -26,8 +26,19 @@ private:
const char* mpNameTablePointer;
const NameTable* mpNameTable;
- const char* getTablePointer(const TableDirectoryEntry* pEntry)
+ const char* getTablePointer(const TableDirectoryEntry* pEntry, size_t
nEntrySize)
{
+ size_t nSize = mrFontDataContainer.size();
+ if (pEntry->offset > nSize)
+ {
+ SAL_WARN("vcl.fonts", "Table offset beyond end of available data");
+ return nullptr;
+ }
+ if (nEntrySize > nSize - pEntry->offset)
+ {
+ SAL_WARN("vcl.fonts", "Insufficient available data for table
entry");
+ return nullptr;
+ }
return mrFontDataContainer.getPointer() + pEntry->offset;
}
@@ -36,7 +47,7 @@ public:
const TableDirectoryEntry* pTableDirectoryEntry)
: mrFontDataContainer(rFontDataContainer)
, mpTableDirectoryEntry(pTableDirectoryEntry)
- , mpNameTablePointer(getTablePointer(mpTableDirectoryEntry))
+ , mpNameTablePointer(getTablePointer(mpTableDirectoryEntry,
sizeof(NameTable)))
, mpNameTable(reinterpret_cast<const NameTable*>(mpNameTablePointer))
{
}
@@ -46,7 +57,7 @@ public:
const NameTable* getNameTable() { return mpNameTable; }
/** Number of tables */
- sal_uInt16 getNumberOfRecords() { return mpNameTable->nCount; }
+ sal_uInt16 getNumberOfRecords() { return mpNameTable ? mpNameTable->nCount
: 0; }
/** Get a name table record for index */
const NameRecord* getNameRecord(sal_uInt32 index)
commit e6f2f0744e1595cbe7bb03933f71e7dbb5e06174
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue May 27 12:23:44 2025 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue May 27 16:37:31 2025 +0200
sanity check table offsets and claimed lengths
Change-Id: I9c9f3b5f3efcecbe12f6a8ad08455e1f18e6a642
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/185900
Tested-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/vcl/inc/font/TTFReader.hxx b/vcl/inc/font/TTFReader.hxx
index 7e161abd2829..d45a1e2a6300 100644
--- a/vcl/inc/font/TTFReader.hxx
+++ b/vcl/inc/font/TTFReader.hxx
@@ -93,8 +93,19 @@ private:
const char* mpFirstPosition;
sal_uInt16 mnNumberOfTables;
- const char* getTablePointer(const TableDirectoryEntry* pEntry)
+ const char* getTablePointer(const TableDirectoryEntry* pEntry, size_t
nEntrySize)
{
+ size_t nSize = mrFontDataContainer.size();
+ if (pEntry->offset > nSize)
+ {
+ SAL_WARN("vcl.fonts", "Table offset beyond end of available data");
+ return nullptr;
+ }
+ if (nEntrySize > nSize - pEntry->offset)
+ {
+ SAL_WARN("vcl.fonts", "Insufficient available data for table
entry");
+ return nullptr;
+ }
return mrFontDataContainer.getPointer() + pEntry->offset;
}
@@ -138,7 +149,7 @@ public:
const auto* pEntry = getEntry(T_OS2);
if (!pEntry)
return nullptr;
- return reinterpret_cast<const OS2Table*>(getTablePointer(pEntry));
+ return reinterpret_cast<const OS2Table*>(getTablePointer(pEntry,
sizeof(OS2Table)));
}
const HeadTable* getHeadTable()
@@ -146,7 +157,7 @@ public:
const auto* pEntry = getEntry(T_head);
if (!pEntry)
return nullptr;
- return reinterpret_cast<const HeadTable*>(getTablePointer(pEntry));
+ return reinterpret_cast<const HeadTable*>(getTablePointer(pEntry,
sizeof(HeadTable)));
}
const NameTable* getNameTable()
@@ -154,7 +165,7 @@ public:
const auto* pEntry = getEntry(T_name);
if (!pEntry)
return nullptr;
- return reinterpret_cast<const NameTable*>(getTablePointer(pEntry));
+ return reinterpret_cast<const NameTable*>(getTablePointer(pEntry,
sizeof(NameTable)));
}
std::unique_ptr<NameTableHandler> getNameTableHandler()
