walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix invalid memory read 

Buffer might be relocated inside replace_glyphs().

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117
This commit is contained in:
Behdad Esfahbod 2018-10-26 21:54:07 -07:00
parent 79b2fa62ca
commit 30eab97a00
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/hb-ot-shape-normalize.cc
View File

@ -225,7 +225,8 @@ handle_variation_selector_cluster (const hb_ot_shape_normalize_context_t *c,
/* The next two lines are some ugly lines... But work. */ /* The next two lines are some ugly lines... But work. */
if (font->get_variation_glyph (buffer->cur().codepoint, buffer->cur(+1).codepoint, &buffer->cur().glyph_index())) if (font->get_variation_glyph (buffer->cur().codepoint, buffer->cur(+1).codepoint, &buffer->cur().glyph_index()))
{ {
buffer->replace_glyphs (2, 1, &buffer->cur().codepoint); hb_codepoint_t unicode = buffer->cur().codepoint;
buffer->replace_glyphs (2, 1, &unicode);
} }
else else
{ {