AuroraMiddleware/harfbuzz
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Check for offset overflows during sanitize

Browse Source
This commit is contained in:
Behdad Esfahbod 2016-12-02 19:51:23 -08:00
parent 4b58c9e326
commit 70eb2ff682
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hb-open-type-private.hh
View File

@ -806,6 +806,7 @@ struct OffsetTo : Offset<OffsetType>
if (unlikely (!c->check_struct (this))) return_trace (false);
unsigned int offset = *this;
if (unlikely (!offset)) return_trace (true);
if (unlikely (!c->check_range (base, offset))) return_trace (false);
const Type &obj = StructAtOffset<Type> (base, offset);
return_trace (likely (obj.sanitize (c)) || neuter (c));
}
@ -816,6 +817,7 @@ struct OffsetTo : Offset<OffsetType>
if (unlikely (!c->check_struct (this))) return_trace (false);
unsigned int offset = *this;
if (unlikely (!offset)) return_trace (true);
if (unlikely (!c->check_range (base, offset))) return_trace (false);
const Type &obj = StructAtOffset<Type> (base, offset);
return_trace (likely (obj.sanitize (c, user_data)) || neuter (c));
}