Fix sanitize fail of extension sublookups

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=960331
This commit is contained in:
Behdad Esfahbod 2019-05-10 16:01:39 -07:00
parent 9c0c3589f3
commit 25a5b287f2
3 changed files with 10 additions and 2 deletions

View File

@ -751,12 +751,18 @@ struct Lookup
if (unlikely (!get_subtables<TSubTable> ().sanitize (c, this, get_type ())))
return_trace (false);
if (unlikely (get_type () == TSubTable::Extension))
if (unlikely (get_type () == TSubTable::Extension && !c->get_edit_count ()))
{
/* The spec says all subtables of an Extension lookup should
* have the same type, which shall not be the Extension type
* itself (but we already checked for that).
* This is specially important if one has a reverse type! */
* This is specially important if one has a reverse type!
*
* We only do this if sanitizer edit_count is zero. Otherwise,
* some of the subtables might have become insane after they
* were sanity-checked by the edits of subsequent subtables.
* https://bugs.chromium.org/p/chromium/issues/detail?id=960331
*/
unsigned int type = get_subtable<TSubTable> (0).u.extension.get_type ();
unsigned int count = get_subtable_count ();
for (unsigned int i = 1; i < count; i++)

View File

@ -211,6 +211,8 @@ struct hb_sanitize_context_t :
this->start = this->end = nullptr;
}
unsigned get_edit_count () { return edit_count; }
bool check_range (const void *base,
unsigned int len) const
{