AuroraMiddleware/harfbuzz
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix buffer-overrun with Bengali reph positioning code

Browse Source 
This has no security implications whatsoever since we always keep
and extra element at the end of buffer, just in case.

Discovered by oss-fuzz
CC https://github.com/behdad/harfbuzz/issues/139
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660
This commit is contained in:
Behdad Esfahbod 2017-02-25 13:30:38 -08:00
parent 6685d281d6
commit 85630996b8
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hb-ot-shape-complex-indic.cc
View File

@ -1497,7 +1497,7 @@ final_reordering_syllable (const hb_ot_shape_plan_t *plan,
if (reph_pos == REPH_POS_AFTER_SUB)
{
new_reph_pos = base;
while (new_reph_pos < end &&
while (new_reph_pos + 1 < end &&
!( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD))))
new_reph_pos++;
if (new_reph_pos < end)