AuroraMiddleware/harfbuzz
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[subset] Consider instruction length place itself

Browse Source 
Now fixes https://crbug.com/oss-fuzz/16639 completely
This commit is contained in:
Ebrahim Byagowi 2019-08-24 02:59:18 +04:30
parent 922898c814
commit 2aef3013f3
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/hb-ot-glyf-table.hh
View File

@ -541,6 +541,7 @@ struct glyf
int16_t num_contours = (int16_t) glyph_header.numberOfContours; int16_t num_contours = (int16_t) glyph_header.numberOfContours;
if (num_contours < 0) if (num_contours < 0)
{ {
// composite glyph
unsigned int start = glyph.length; unsigned int start = glyph.length;
unsigned int end = glyph.length; unsigned int end = glyph.length;
unsigned int glyph_offset = &glyph - glyf_table; unsigned int glyph_offset = &glyph - glyf_table;
@ -562,6 +563,7 @@ struct glyf
} }
else else
{ {
// simple glyph
unsigned int instruction_length_offset = GlyphHeader::static_size + 2 * num_contours; unsigned int instruction_length_offset = GlyphHeader::static_size + 2 * num_contours;
if (unlikely (instruction_length_offset + 2 > glyph.length)) if (unlikely (instruction_length_offset + 2 > glyph.length))
{ {
@ -570,7 +572,7 @@ struct glyf
} }
const HBUINT16 &instruction_length = StructAtOffset<HBUINT16> (&glyph, instruction_length_offset); const HBUINT16 &instruction_length = StructAtOffset<HBUINT16> (&glyph, instruction_length_offset);
if (unlikely (instruction_length_offset + instruction_length > glyph.length)) // Out of bounds of the current glyph if (unlikely (instruction_length_offset + 2 + instruction_length > glyph.length)) // Out of bounds of the current glyph
{ {
DEBUG_MSG(SUBSET, nullptr, "The instructions array overruns the glyph's boundaries."); DEBUG_MSG(SUBSET, nullptr, "The instructions array overruns the glyph's boundaries.");
return false; return false;