[aat] Correct array indexing when looking up actions in KerxSubTableFormat4 (#2539)
* [aat] Correct array indexing when looking up actions in KerxSubTableFormat4. - For action_type 0 and 1, there are 2 values per action record; for action_type 2, there are 4. So we need to account for these factors when indexing into the ankrData array. Fixes https://github.com/harfbuzz/harfbuzz/issues/2531.
This commit is contained in:
parent
aa732e454a
commit
1e6027e29c
|
@ -508,11 +508,13 @@ struct KerxSubTableFormat4
|
||||||
{
|
{
|
||||||
case 0: /* Control Point Actions.*/
|
case 0: /* Control Point Actions.*/
|
||||||
{
|
{
|
||||||
/* indexed into glyph outline. */
|
/* Indexed into glyph outline. */
|
||||||
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex];
|
/* Each action (record in ankrData) contains two 16-bit fields, so we must
|
||||||
|
double the ankrActionIndex to get the correct offset here. */
|
||||||
|
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex * 2];
|
||||||
if (!c->sanitizer.check_array (data, 2)) return;
|
if (!c->sanitizer.check_array (data, 2)) return;
|
||||||
HB_UNUSED unsigned int markControlPoint = *data++;
|
unsigned int markControlPoint = *data++;
|
||||||
HB_UNUSED unsigned int currControlPoint = *data++;
|
unsigned int currControlPoint = *data++;
|
||||||
hb_position_t markX = 0;
|
hb_position_t markX = 0;
|
||||||
hb_position_t markY = 0;
|
hb_position_t markY = 0;
|
||||||
hb_position_t currX = 0;
|
hb_position_t currX = 0;
|
||||||
|
@ -534,8 +536,10 @@ struct KerxSubTableFormat4
|
||||||
|
|
||||||
case 1: /* Anchor Point Actions. */
|
case 1: /* Anchor Point Actions. */
|
||||||
{
|
{
|
||||||
/* Indexed into 'ankr' table. */
|
/* Indexed into 'ankr' table. */
|
||||||
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex];
|
/* Each action (record in ankrData) contains two 16-bit fields, so we must
|
||||||
|
double the ankrActionIndex to get the correct offset here. */
|
||||||
|
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex * 2];
|
||||||
if (!c->sanitizer.check_array (data, 2)) return;
|
if (!c->sanitizer.check_array (data, 2)) return;
|
||||||
unsigned int markAnchorPoint = *data++;
|
unsigned int markAnchorPoint = *data++;
|
||||||
unsigned int currAnchorPoint = *data++;
|
unsigned int currAnchorPoint = *data++;
|
||||||
|
@ -553,7 +557,9 @@ struct KerxSubTableFormat4
|
||||||
|
|
||||||
case 2: /* Control Point Coordinate Actions. */
|
case 2: /* Control Point Coordinate Actions. */
|
||||||
{
|
{
|
||||||
const FWORD *data = (const FWORD *) &ankrData[entry.data.ankrActionIndex];
|
/* Each action contains four 16-bit fields, so we multiply the ankrActionIndex
|
||||||
|
by 4 to get the correct offset for the given action. */
|
||||||
|
const FWORD *data = (const FWORD *) &ankrData[entry.data.ankrActionIndex * 4];
|
||||||
if (!c->sanitizer.check_array (data, 4)) return;
|
if (!c->sanitizer.check_array (data, 4)) return;
|
||||||
int markX = *data++;
|
int markX = *data++;
|
||||||
int markY = *data++;
|
int markY = *data++;
|
||||||
|
|
|
@ -128,3 +128,4 @@
|
||||||
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features smcp=1:U+0066,U+0069,U+0072,U+0073,U+0074:[F.small=0+903|I.small=1+634|R.small=2+1113|S.small=3+911|T.small=4+1075]
|
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features smcp=1:U+0066,U+0069,U+0072,U+0073,U+0074:[F.small=0+903|I.small=1+634|R.small=2+1113|S.small=3+911|T.small=4+1075]
|
||||||
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features liga=0,dlig=1:U+0066,U+0069,U+0072,U+0073,U+0074:[f=0+639|i=1+606|r=2+853|s_t=3+1438]
|
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features liga=0,dlig=1:U+0066,U+0069,U+0072,U+0073,U+0074:[f=0+639|i=1+606|r=2+853|s_t=3+1438]
|
||||||
/System/Library/Fonts/Supplemental/Skia.ttf@caee56fc4085009c1a29a863500908050ea6248f:--font-funcs ot:U+0041,U+0056:[A=0+1345|V=1@-12,0+1346]
|
/System/Library/Fonts/Supplemental/Skia.ttf@caee56fc4085009c1a29a863500908050ea6248f:--font-funcs ot:U+0041,U+0056:[A=0+1345|V=1@-12,0+1346]
|
||||||
|
/System/Library/Fonts/Supplemental/Devanagari Sangam MN.ttc@214b7ffa672bc936745df5a72644f2b705b24b4b:--font-funcs ot:U+092D,U+0941:[dn_bha=0+1339|dn_u_matra.mrk=0@-296,11+0]
|
||||||
|
|
Loading…
Reference in New Issue