From 1a94804d35d533d39849d21a177039c4cbfade98 Mon Sep 17 00:00:00 2001 From: Garret Rieger Date: Mon, 19 Mar 2018 18:39:22 -0700 Subject: [PATCH] [subset] Add a fix for segfault in hmtx/vmtx subsetting code. --- src/hb-ot-hmtx-table.hh | 13 +++++++++++-- test/api/test-subset-hmtx.c | 3 ++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/hb-ot-hmtx-table.hh b/src/hb-ot-hmtx-table.hh index bff792a60..2af9a5cc1 100644 --- a/src/hb-ot-hmtx-table.hh +++ b/src/hb-ot-hmtx-table.hh @@ -118,6 +118,8 @@ struct hmtxvmtx LongMetric * old_metrics = (LongMetric *) source_table; FWORD *lsbs = (FWORD *) (old_metrics + _mtx.num_advances); char * dest_pos = (char *) dest; + + bool failed = false; for (unsigned int i = 0; i < gids.len; i++) { /* the last metric or the one for gids[i] */ @@ -138,7 +140,14 @@ struct hmtxvmtx } else { - FWORD src_lsb = *(lsbs + gids[i] - _mtx.num_advances); + if (gids[i] >= _mtx.num_metrics) + { + DEBUG_MSG(SUBSET, nullptr, "gid %d is >= number of source metrics %d", + gids[i], _mtx.num_metrics); + failed = true; + break; + } + FWORD src_lsb = *(lsbs + gids[i] - _mtx.num_advances); if (i < num_advances) { /* dest needs a full LongMetric */ @@ -157,7 +166,7 @@ struct hmtxvmtx _mtx.fini (); // Amend header num hmetrics - if (unlikely (!subset_update_header (plan, num_advances))) + if (failed || unlikely (!subset_update_header (plan, num_advances))) { free (dest); return false; diff --git a/test/api/test-subset-hmtx.c b/test/api/test-subset-hmtx.c index cb224972b..0ed62562b 100644 --- a/test/api/test-subset-hmtx.c +++ b/test/api/test-subset-hmtx.c @@ -163,7 +163,8 @@ test_subset_invalid_hmtx (void) hb_subset_profile_t *profile = hb_subset_profile_create(); hb_face_t *subset = hb_subset (face, profile, input); - g_assert (!subset); + g_assert (subset); + g_assert (subset == hb_face_get_empty ()); hb_subset_input_destroy (input); hb_subset_profile_destroy (profile);