vcl/inc/font/TTFReader.hxx | 11 +++++++++++
1 file changed, 11 insertions(+)
New commits:
commit 9a6f770f7c7038670c8dc80274bd9ed2e6a6d256
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Thu May 29 14:24:48 2025 +0100
Commit: Tomaž Vajngerl <qui...@gmail.com>
CommitDate: Wed Jun 4 13:39:04 2025 +0200
ofz: sanity check NameTableString
Change-Id: Iac194d464e4badb338a1b8ff49105cc87d125125
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186009
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit 4a519c00b11f9fda5a50e9e084e9ac7043bc65e3)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/186169
Reviewed-by: Tomaž Vajngerl <qui...@gmail.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
diff --git a/vcl/inc/font/TTFReader.hxx b/vcl/inc/font/TTFReader.hxx
index 29482d4024a8..3f766b52ef8e 100644
--- a/vcl/inc/font/TTFReader.hxx
+++ b/vcl/inc/font/TTFReader.hxx
@@ -239,6 +239,17 @@ public:
/** Gets the string from a name table */
OUString getNameTableString(sal_uInt64 nOffset, sal_uInt16 nLength)
{
+ size_t nSize = mrFontDataContainer.size();
+ if (nOffset > nSize)
+ {
+ SAL_WARN("vcl.fonts", "String offset beyond end of available
data");
+ return OUString();
+ }
+ if (nLength > nSize - nOffset)
+ {
+ SAL_WARN("vcl.fonts", "Insufficient available data for string
entry");
+ return OUString();
+ }
const auto* pString = reinterpret_cast<const o3tl::sal_uInt16_BE*>(
mrFontDataContainer.getPointer() + nOffset);
OUStringBuffer aStringBuffer;
