From bc8bfb709c015e34a7c9c8f3239b075562da208f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Sat, 5 Mar 2022 10:03:43 +0000
Subject: [PATCH] ofz: record less than 10 bytes is invalid

Change-Id: Ie6b88efbc12b4c7fddb7459e50cba28fcbcf35fe
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/131010
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
---
 vcl/source/fontsubset/sft.cxx | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 8084bb247567..d4c905c068df 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -353,11 +353,18 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI
 
     const sal_uInt8* ptr = table + nGlyphOffset;
     const sal_uInt32 nMaxGlyphSize = nTableSize - nGlyphOffset;
+    constexpr sal_uInt32 nContourOffset = 10;
+    if (nMaxGlyphSize < nContourOffset)
+        return 0;
 
     const sal_Int16 numberOfContours = GetInt16(ptr, GLYF_numberOfContours_offset);
     if( numberOfContours <= 0 )             /*- glyph is not simple */
         return 0;
 
+    const sal_Int32 nMaxContours = (nMaxGlyphSize - nContourOffset)/2;
+    if (numberOfContours > nMaxContours)
+        return 0;
+
     if (metrics) {                                                    /*- GetCompoundTTOutline() calls this function with NULL metrics -*/
         metrics->xMin = GetInt16(ptr, GLYF_xMin_offset);
         metrics->yMin = GetInt16(ptr, GLYF_yMin_offset);
@@ -368,22 +375,19 @@ static int GetSimpleTTOutline(AbstractTrueTypeFont const *ttf, sal_uInt32 glyphI
 
     /* determine the last point and be extra safe about it. But probably this code is not needed */
     sal_uInt16 lastPoint=0;
-    const sal_Int32 nMaxContours = (nMaxGlyphSize - 10)/2;
-    if (numberOfContours > nMaxContours)
-        return 0;
     for (i=0; i<numberOfContours; i++)
     {
-        const sal_uInt16 t = GetUInt16(ptr, 10+i*2);
+        const sal_uInt16 t = GetUInt16(ptr, nContourOffset + i * 2);
         if (t > lastPoint)
             lastPoint = t;
     }
 
-    sal_uInt32 nInstLenOffset = 10 + numberOfContours * 2;
+    sal_uInt32 nInstLenOffset = nContourOffset + numberOfContours * 2;
     if (nInstLenOffset + 2 > nMaxGlyphSize)
         return 0;
     sal_uInt16 instLen = GetUInt16(ptr, nInstLenOffset);
 
-    sal_uInt32 nOffset = 10 + 2 * numberOfContours + 2 + instLen;
+    sal_uInt32 nOffset = nContourOffset + 2 * numberOfContours + 2 + instLen;
     if (nOffset > nMaxGlyphSize)
         return 0;
     const sal_uInt8* p = ptr + nOffset;
-- 
2.11.4.GIT