[HB] Fix invalid access / overflow on x86-64
Bug 591557 – [HB] crash scrolling the evolution message list Bug 591576 – crashed with SIGSEGV at pango
This commit is contained in:
Behdad Esfahbod
parent
8d70312c7b
commit
0532ed160c
|
|
@ -913,13 +913,14 @@ struct MarkBasePosFormat1
|
|||
|
||||
/* now we search backwards for a non-mark glyph */
|
||||
unsigned int count = buffer->in_pos;
|
||||
unsigned int i = 1, j = count - 1;
|
||||
while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property))
|
||||
unsigned int i = 0, j = count;
|
||||
do
|
||||
{
|
||||
if (HB_UNLIKELY (i == count))
|
||||
return false;
|
||||
i++, j--;
|
||||
}
|
||||
} while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property))
|
||||
|
||||
#if 0
|
||||
/* The following assertion is too strong. */
|
||||
if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_BASE_GLYPH))
|
||||
|
|
@ -1046,13 +1047,14 @@ struct MarkLigPosFormat1
|
|||
|
||||
/* now we search backwards for a non-mark glyph */
|
||||
unsigned int count = buffer->in_pos;
|
||||
unsigned int i = 1, j = count - 1;
|
||||
while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property))
|
||||
unsigned int i = 0, j = count;
|
||||
do
|
||||
{
|
||||
if (HB_UNLIKELY (i == count))
|
||||
return false;
|
||||
i++, j--;
|
||||
}
|
||||
} while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property));
|
||||
|
||||
#if 0
|
||||
/* The following assertion is too strong. */
|
||||
if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_LIGATURE))
|
||||
|
|
@ -1203,13 +1205,14 @@ struct MarkMarkPosFormat1
|
|||
|
||||
/* now we search backwards for a suitable mark glyph until a non-mark glyph */
|
||||
unsigned int count = buffer->in_pos;
|
||||
unsigned int i = 1, j = count - 1;
|
||||
while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), lookup_flag, &property))
|
||||
unsigned int i = 0, j = count;
|
||||
do
|
||||
{
|
||||
if (HB_UNLIKELY (i == count))
|
||||
return false;
|
||||
i++, j--;
|
||||
}
|
||||
} while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), lookup_flag, &property));
|
||||
|
||||
if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_MARK))
|
||||
return false;
|
||||
|
||||
|
|
|
|||
|
|
@ -798,11 +798,9 @@ struct SubstLookup : Lookup
|
|||
}
|
||||
if (ret)
|
||||
_hb_buffer_swap (buffer);
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
/* in-place backward substitution */
|
||||
buffer->in_pos = buffer->in_length - 1;
|
||||
do
|
||||
|
|
|
|||
Loading…
Reference in New Issue