From 1ccb457cbb7be2466536661d76d62de9fe582639 Mon Sep 17 00:00:00 2001 From: Michiharu Ariza Date: Fri, 29 Mar 2019 18:28:25 -0700 Subject: [PATCH] fix gvar fuzz bug --- src/hb-ot-var-gvar-table.hh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/hb-ot-var-gvar-table.hh b/src/hb-ot-var-gvar-table.hh index 02f85d867..4d2d3c7f1 100644 --- a/src/hb-ot-var-gvar-table.hh +++ b/src/hb-ot-var-gvar-table.hh @@ -498,7 +498,13 @@ struct gvar } unsigned int get_glyph_var_data_length (unsigned int glyph) const - { return get_offset (glyph+1) - get_offset (glyph); } + { + unsigned int end_offset = get_offset (glyph+1); + unsigned int start_offset = get_offset (glyph); + if (unlikely (start_offset > end_offset || end_offset > get_offset(glyphCount))) + return 0; + return end_offset - start_offset; + } const HBUINT32 *get_long_offset_array () const { return (const HBUINT32 *)&offsetZ; } const HBUINT16 *get_short_offset_array () const { return (const HBUINT16 *)&offsetZ; }