[ot-font] Work around broken cmap subtable format 4 length

Roboto was hitting this. FreeType also has pretty much the same code for this, in ttcmap.c:tt_cmap4_validate(): /* in certain fonts, the `length' field is invalid and goes */ /* out of bound. We try to correct this here... */ if ( table + length > valid->limit ) { if ( valid->level >= FT_VALIDATE_TIGHT ) FT_INVALID_TOO_SHORT; length = (FT_UInt)( valid->limit - table ); }
2014-06-04 18:47:55 -04:00 · 2014-06-04 18:47:55 -04:00 · 257d1adfa1
parent 51f563579b
commit 257d1adfa1
1 changed files with 18 additions and 4 deletions
--- a/src/hb-ot-cmap-table.hh
+++ b/src/hb-ot-cmap-table.hh
@ -131,11 +131,25 @@ struct CmapSubtableFormat4
    return true;
  }

-  inline bool sanitize (hb_sanitize_context_t *c) {
+  inline bool sanitize (hb_sanitize_context_t *c)
+  {
    TRACE_SANITIZE (this);
-    return TRACE_RETURN (c->check_struct (this) &&
-			 c->check_range (this, length) &&
-			 16 + 4 * (unsigned int) segCountX2 < length);
+    if (unlikely (!c->check_struct (this)))
+      return TRACE_RETURN (false);
+
+    if (unlikely (!c->check_range (this, length)))
+    {
+      /* Some broken fonts have too long of a "length" value.
+       * If that is the case, just change the value to truncate
+       * the subtable at the end of the blob. */
+      uint16_t new_length = (uint16_t) MIN ((uintptr_t) 65535,
+					    (uintptr_t) (c->end -
+							 (char *) this));
+      if (!c->try_set (&length, new_length))
+	return TRACE_RETURN (false);
+    }
+
+    return TRACE_RETURN (16 + 4 * (unsigned int) segCountX2 <= length);
  }

  protected: