[GSUB/GPOS] Fix sanitization in Format1

Fixes https://oss-fuzz.com/testcase-detail/5120727025319936
2023-03-02 10:48:30 -07:00 · 2023-03-02 10:48:30 -07:00 · 08784baf10
parent 7897173870
commit 08784baf10
2 changed files with 16 additions and 12 deletions
--- a/src/OT/Layout/GPOS/SinglePosFormat1.hh
+++ b/src/OT/Layout/GPOS/SinglePosFormat1.hh
@ -28,12 +28,14 @@ struct SinglePosFormat1
    TRACE_SANITIZE (this);
    return_trace (c->check_struct (this) &&
                  coverage.sanitize (c, this) &&
-                  valueFormat.sanitize_value (c, this, values) &&
-                  // The coverage  table may use a range to represent a set
-                  // of glyphs, which means a small number of bytes can
-                  // generate a large glyph set. Manually modify the
-                  // sanitizer max ops to take this into account.
-                  c->check_ops ((this + coverage).get_population () >> 1));
+                  /* The coverage  table may use a range to represent a set
+                   * of glyphs, which means a small number of bytes can
+                   * generate a large glyph set. Manually modify the
+                   * sanitizer max ops to take this into account.
+                   *
+                   * Note: This check *must* be right after coverage sanitize. */
+                  c->check_ops ((this + coverage).get_population () >> 1) &&
+                  valueFormat.sanitize_value (c, this, values));

  }

--- a/src/OT/Layout/GSUB/SingleSubstFormat1.hh
+++ b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
@ -25,12 +25,14 @@ struct SingleSubstFormat1_3
  bool sanitize (hb_sanitize_context_t *c) const
  {
    TRACE_SANITIZE (this);
-    return_trace (coverage.sanitize (c, this) &&
-                  deltaGlyphID.sanitize (c) &&
-                  // The coverage  table may use a range to represent a set
-                  // of glyphs, which means a small number of bytes can
-                  // generate a large glyph set. Manually modify the
-                  // sanitizer max ops to take this into account.
+    return_trace (c->check_struct (this) &&
+                  coverage.sanitize (c, this) &&
+                  /* The coverage  table may use a range to represent a set
+                   * of glyphs, which means a small number of bytes can
+                   * generate a large glyph set. Manually modify the
+                   * sanitizer max ops to take this into account.
+                   *
+                   * Note: This check *must* be right after coverage sanitize. */
                  c->check_ops ((this + coverage).get_population () >> 1));
  }