walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[sbix] Check glyph id before looking into unsafe array 

That 'Z' at end of imageOffsetsZ is a reminder that you should check...
This commit is contained in:
Behdad Esfahbod 2018-10-28 15:33:12 -07:00
parent a8cb9c73da
commit 50fb02a219
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/hb-ot-color-sbix-table.hh
View File

@ -92,8 +92,9 @@ struct SBIXStrike
unsigned int strike_offset = (const char *) this - (const char *) sbix_blob->data; unsigned int strike_offset = (const char *) this - (const char *) sbix_blob->data;
retry: retry:
if (imageOffsetsZ[glyph_id + 1] < imageOffsetsZ[glyph_id] || if (unlikely (glyph_id >= num_glyphs ||
imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size) imageOffsetsZ[glyph_id + 1] < imageOffsetsZ[glyph_id] ||
imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size))
return hb_blob_get_empty (); return hb_blob_get_empty ();
if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len) if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
@ -106,7 +107,7 @@ struct SBIXStrike
if (calculate_blob_size (glyph_id) >= 2) if (calculate_blob_size (glyph_id) >= 2)
{ {
glyph_id = *((HBUINT16 *) &glyph->data); glyph_id = *((HBUINT16 *) &glyph->data);
if (glyph_id < num_glyphs && retry_count--) if (retry_count--)
goto retry; goto retry;
} }
return hb_blob_get_empty (); return hb_blob_get_empty ();