8271962: Better TrueType font loading

Reviewed-by: psadhukhan, jdv, mschoene, rhalade
2026-03-19 04:13:07 +00:00 · 2021-08-17 20:56:54 +00:00 · 2021-08-17 20:56:54 +00:00 · afd0dc76b6
commit afd0dc76b6
parent b02ea6dc3c
1 changed files with 10 additions and 2 deletions
--- a/src/java.desktop/share/classes/sun/font/TrueTypeFont.java
+++ b/src/java.desktop/share/classes/sun/font/TrueTypeFont.java
@ -503,7 +503,9 @@ public class TrueTypeFont extends FileFont {
                /* checksum */ ibuffer.get();
                table.offset = ibuffer.get() & 0x7FFFFFFF;
                table.length = ibuffer.get() & 0x7FFFFFFF;
-                if (table.offset + table.length > fileSize) {
+                if ((table.offset + table.length < table.length) ||
+                    (table.offset + table.length > fileSize))
+                {
                    throw new FontFormatException("bad table, tag="+table.tag);
                }
            }
@ -798,8 +800,11 @@ public class TrueTypeFont extends FileFont {
                break;
            }
        }
+
        if (entry == null || entry.length == 0 ||
-            entry.offset+entry.length > fileSize) {
+            (entry.offset + entry.length < entry.length) ||
+            (entry.offset + entry.length > fileSize))
+        {
            return null;
        }

@ -888,6 +893,9 @@ public class TrueTypeFont extends FileFont {
            return false;
        }
        ByteBuffer eblcTable = getTableBuffer(EBLCTag);
+        if (eblcTable == null) {
+            return false;
+        }
        int numSizes = eblcTable.getInt(4);
        /* The bitmapSizeTable's start at offset of 8.
         * Each bitmapSizeTable entry is 48 bytes.