[subset] fix potential integer overflow in gname_t::cmp.

This commit is contained in:
Garret Rieger 2022-05-13 18:05:05 +00:00 committed by Behdad Esfahbod
parent 2d2f66e1a3
commit 19a8db8545
2 changed files with 3 additions and 2 deletions

View File

@ -204,8 +204,9 @@ struct CFFIndex
unsigned int offset_at (unsigned int index) const unsigned int offset_at (unsigned int index) const
{ {
assert (index <= count); assert (index <= count);
const HBUINT8 *p = offsets + offSize * index;
unsigned int size = offSize; unsigned int size = offSize;
const HBUINT8 *p = offsets + size * index;
unsigned int offset = 0; unsigned int offset = 0;
for (; size; size--) for (; size; size--)
offset = (offset << 8) + *p++; offset = (offset << 8) + *p++;

View File

@ -1360,7 +1360,7 @@ struct cff1
{ {
const gname_t *a = (const gname_t *)a_; const gname_t *a = (const gname_t *)a_;
const gname_t *b = (const gname_t *)b_; const gname_t *b = (const gname_t *)b_;
int minlen = hb_min (a->name.length, b->name.length); unsigned minlen = hb_min (a->name.length, b->name.length);
int ret = strncmp (a->name.arrayZ, b->name.arrayZ, minlen); int ret = strncmp (a->name.arrayZ, b->name.arrayZ, minlen);
if (ret) return ret; if (ret) return ret;
return a->name.length - b->name.length; return a->name.length - b->name.length;