cid#1521198 Untrusted loop bound
move sanity check inside CountTTCFonts so it applies
to the fd smuggle in via filename mechanism
Change-Id: Id2fee5801d71720747a8736859681e7c9a324bc3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/147740
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
diff --git a/vcl/source/fontsubset/sft.cxx b/vcl/source/fontsubset/sft.cxx
index 6644946..5495071 100644
--- a/vcl/source/fontsubset/sft.cxx
+++ b/vcl/source/fontsubset/sft.cxx
@@ -1073,8 +1073,6 @@ static void GetNames(AbstractTrueTypeFont *t)
int CountTTCFonts(const char* fname)
{
int nFonts = 0;
sal_uInt8 buffer[12];
FILE* fd;
#ifdef LINUX
int nFD;
@@ -1088,13 +1086,39 @@ int CountTTCFonts(const char* fname)
else
#endif
fd = fopen(fname, "rb");
if( fd ) {
if (fread(buffer, 1, 12, fd) == 12) {
if(GetUInt32(buffer, 0) == T_ttcf )
nFonts = GetUInt32(buffer, 8);
}
fclose(fd);
if (!fd)
return 0;
int nFonts = 0;
sal_uInt8 buffer[12];
if (fread(buffer, 1, 12, fd) == 12) {
if(GetUInt32(buffer, 0) == T_ttcf )
nFonts = GetUInt32(buffer, 8);
}
if (nFonts > 0)
{
fseek(fd, 0, SEEK_END);
sal_uInt64 fileSize = ftell(fd);
//Feel free to calc the exact max possible number of fonts a file
//could contain given its physical size. But this will clamp it to
//a sane starting point
//http://processingjs.nihongoresources.com/the_smallest_font/
//https://github.com/grzegorzrolek/null-ttf
const int nMaxFontsPossible = fileSize / 528;
if (nFonts > nMaxFontsPossible)
{
SAL_WARN("vcl.fonts", "font file " << fname <<" claims to have "
<< nFonts << " fonts, but only "
<< nMaxFontsPossible << " are possible");
nFonts = nMaxFontsPossible;
}
}
fclose(fd);
return nFonts;
}
diff --git a/vcl/unx/generic/fontmanager/fontmanager.cxx b/vcl/unx/generic/fontmanager/fontmanager.cxx
index 0d48a69..e9e2907 100644
--- a/vcl/unx/generic/fontmanager/fontmanager.cxx
+++ b/vcl/unx/generic/fontmanager/fontmanager.cxx
@@ -179,14 +179,12 @@ std::vector<PrintFontManager::PrintFont> PrintFontManager::analyzeFontFile( int
OString aFullPath = aDir + "/" + rFontFile;
bool bSupported;
bool bHack = false;
int nFD;
int n;
if (sscanf(aFullPath.getStr(), "/:FD:/%d%n", &nFD, &n) == 1 && aFullPath.getStr()[n] == '\0')
{
// Hack, pathname that actually means we will use a pre-opened file descriptor
bSupported = true;
bHack = true;
}
else
{
@@ -220,37 +218,6 @@ std::vector<PrintFontManager::PrintFont> PrintFontManager::analyzeFontFile( int
{
SAL_INFO("vcl.fonts", "ttc: " << aFullPath << " contains " << nLength << " fonts");
if (!bHack)
{
sal_uInt64 fileSize = 0;
OUString aURL;
if (osl::File::getFileURLFromSystemPath(OStringToOUString(aFullPath, osl_getThreadTextEncoding()),
aURL) == osl::File::E_None)
{
osl::File aFile(aURL);
if (aFile.open(osl_File_OpenFlag_Read | osl_File_OpenFlag_NoLock) == osl::File::E_None)
{
osl::DirectoryItem aItem;
if (osl::DirectoryItem::get(aURL, aItem) == osl::File::E_None)
{
osl::FileStatus aFileStatus( osl_FileStatus_Mask_FileSize );
if (aItem.getFileStatus(aFileStatus) == osl::File::E_None)
fileSize = aFileStatus.getFileSize();
}
}
}
//Feel free to calc the exact max possible number of fonts a file
//could contain given its physical size. But this will clamp it to
//a sane starting point
//http://processingjs.nihongoresources.com/the_smallest_font/
//https://github.com/grzegorzrolek/null-ttf
const int nMaxFontsPossible = fileSize / 528;
if (nLength > nMaxFontsPossible)
nLength = nMaxFontsPossible;
}
for( int i = 0; i < nLength; i++ )
{
PrintFont aFont;