[aat] Correct array indexing when looking up actions in KerxSubTableFormat4 (#2539)

* [aat] Correct array indexing when looking up actions in KerxSubTableFormat4.

- For action_type 0 and 1, there are 2 values per action record; for action_type 2, there are 4. So we need to account for these factors when indexing into the ankrData array.

Fixes https://github.com/harfbuzz/harfbuzz/issues/2531.
This commit is contained in:
jfkthame 2020-07-05 22:44:10 +01:00 committed by GitHub
parent aa732e454a
commit 1e6027e29c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 7 deletions

View File

@ -508,11 +508,13 @@ struct KerxSubTableFormat4
{
case 0: /* Control Point Actions.*/
{
/* indexed into glyph outline. */
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex];
/* Indexed into glyph outline. */
/* Each action (record in ankrData) contains two 16-bit fields, so we must
double the ankrActionIndex to get the correct offset here. */
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex * 2];
if (!c->sanitizer.check_array (data, 2)) return;
HB_UNUSED unsigned int markControlPoint = *data++;
HB_UNUSED unsigned int currControlPoint = *data++;
unsigned int markControlPoint = *data++;
unsigned int currControlPoint = *data++;
hb_position_t markX = 0;
hb_position_t markY = 0;
hb_position_t currX = 0;
@ -534,8 +536,10 @@ struct KerxSubTableFormat4
case 1: /* Anchor Point Actions. */
{
/* Indexed into 'ankr' table. */
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex];
/* Indexed into 'ankr' table. */
/* Each action (record in ankrData) contains two 16-bit fields, so we must
double the ankrActionIndex to get the correct offset here. */
const HBUINT16 *data = &ankrData[entry.data.ankrActionIndex * 2];
if (!c->sanitizer.check_array (data, 2)) return;
unsigned int markAnchorPoint = *data++;
unsigned int currAnchorPoint = *data++;
@ -553,7 +557,9 @@ struct KerxSubTableFormat4
case 2: /* Control Point Coordinate Actions. */
{
const FWORD *data = (const FWORD *) &ankrData[entry.data.ankrActionIndex];
/* Each action contains four 16-bit fields, so we multiply the ankrActionIndex
by 4 to get the correct offset for the given action. */
const FWORD *data = (const FWORD *) &ankrData[entry.data.ankrActionIndex * 4];
if (!c->sanitizer.check_array (data, 4)) return;
int markX = *data++;
int markY = *data++;

View File

@ -128,3 +128,4 @@
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features smcp=1:U+0066,U+0069,U+0072,U+0073,U+0074:[F.small=0+903|I.small=1+634|R.small=2+1113|S.small=3+911|T.small=4+1075]
/System/Library/Fonts/Supplemental/Apple Chancery.ttf@4ec49cba0d4e68d025ada0498c4df1b2f9fd57ac:--font-funcs ot --features liga=0,dlig=1:U+0066,U+0069,U+0072,U+0073,U+0074:[f=0+639|i=1+606|r=2+853|s_t=3+1438]
/System/Library/Fonts/Supplemental/Skia.ttf@caee56fc4085009c1a29a863500908050ea6248f:--font-funcs ot:U+0041,U+0056:[A=0+1345|V=1@-12,0+1346]
/System/Library/Fonts/Supplemental/Devanagari Sangam MN.ttc@214b7ffa672bc936745df5a72644f2b705b24b4b:--font-funcs ot:U+092D,U+0941:[dn_bha=0+1339|dn_u_matra.mrk=0@-296,11+0]