From 0730d623854dc17ce0c3f1f2755a90b656c8e52c Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Sun, 28 Oct 2018 15:38:42 -0700 Subject: [PATCH] [sbix] Check glyph data end is in range --- src/hb-ot-color-sbix-table.hh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh index d3b737792..51e4a1666 100644 --- a/src/hb-ot-color-sbix-table.hh +++ b/src/hb-ot-color-sbix-table.hh @@ -90,11 +90,13 @@ struct SBIXStrike unsigned int retry_count = 8; unsigned int sbix_len = sbix_blob->length; unsigned int strike_offset = (const char *) this - (const char *) sbix_blob->data; + assert (strike_offset < sbix_len); retry: if (unlikely (glyph_id >= num_glyphs || imageOffsetsZ[glyph_id + 1] < imageOffsetsZ[glyph_id] || - imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size)) + imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size || + (unsigned int) imageOffsetsZ[glyph_id + 1] > sbix_len - strike_offset)) return hb_blob_get_empty (); unsigned int glyph_offset = strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size;