[ot-color/png] sbix runtime memory check

This commit is contained in:
Ebrahim Byagowi 2018-10-27 10:50:53 +03:30
parent 265ad408ca
commit 6a38fd68a8
3 changed files with 21 additions and 17 deletions

View File

@ -504,15 +504,13 @@ struct CBDT
} }
} }
inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t glyph_id, inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t glyph_id HB_UNUSED,
unsigned int requested_x_ppem, unsigned int requested_x_ppem HB_UNUSED,
unsigned int requested_y_ppem, unsigned int requested_y_ppem HB_UNUSED,
unsigned int *strike_x_ppem, unsigned int *strike_x_ppem HB_UNUSED,
unsigned int *strike_y_ppem) const unsigned int *strike_y_ppem HB_UNUSED) const
{ {
// if (unlikely (cbdt_len == 0))
return hb_blob_get_empty (); return hb_blob_get_empty ();
// return svg->get_glyph_entry (glyph_id).reference_blob (svg_blob, svg->svgDocEntries);
} }
inline bool has_data () const inline bool has_data () const

View File

@ -82,6 +82,7 @@ struct SBIXStrike
inline hb_blob_t *get_glyph_blob (unsigned int glyph_id, inline hb_blob_t *get_glyph_blob (unsigned int glyph_id,
hb_blob_t *sbix_blob, hb_blob_t *sbix_blob,
unsigned int sbix_len,
unsigned int strike_offset, unsigned int strike_offset,
unsigned int *x_offset, unsigned int *x_offset,
unsigned int *y_offset, unsigned int *y_offset,
@ -91,6 +92,9 @@ struct SBIXStrike
if (imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] == 0) if (imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] == 0)
return hb_blob_get_empty (); return hb_blob_get_empty ();
if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
return hb_blob_get_empty ();
const SBIXGlyph *glyph = &(this+imageOffsetsZ[glyph_id]); const SBIXGlyph *glyph = &(this+imageOffsetsZ[glyph_id]);
if (unlikely (glyph->graphicType == HB_TAG ('d','u','p','e') && if (unlikely (glyph->graphicType == HB_TAG ('d','u','p','e') &&
blob_size (glyph_id) >= 2)) blob_size (glyph_id) >= 2))
@ -100,6 +104,8 @@ struct SBIXStrike
{ {
glyph = &(this+imageOffsetsZ[new_glyph_id]); glyph = &(this+imageOffsetsZ[new_glyph_id]);
glyph_id = new_glyph_id; glyph_id = new_glyph_id;
if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
return hb_blob_get_empty ();
} }
} }
if (unlikely (requested_file_type != glyph->graphicType)) if (unlikely (requested_file_type != glyph->graphicType))
@ -155,18 +161,18 @@ struct sbix
const SBIXStrike &strike = sbix_table+sbix_table->strikes[group]; const SBIXStrike &strike = sbix_table+sbix_table->strikes[group];
for (unsigned int glyph_id = 0; glyph_id < num_glyphs; glyph_id++) for (unsigned int glyph_id = 0; glyph_id < num_glyphs; glyph_id++)
{ {
unsigned int x_offset, y_offset;
hb_tag_t tag; hb_tag_t tag;
hb_blob_t *blob; hb_blob_t *blob;
blob = strike.get_glyph_blob (glyph_id, sbix_blob, sbix_table->strikes[group], blob = strike.get_glyph_blob (glyph_id, sbix_blob, sbix_len,
&x_offset, &x_offset, sbix_table->strikes[group],
nullptr, nullptr,
HB_TAG('p','n','g',' '), num_glyphs); HB_TAG('p','n','g',' '), num_glyphs);
if (hb_blob_get_length (blob)) callback (blob, group, glyph_id); if (hb_blob_get_length (blob)) callback (blob, group, glyph_id);
} }
} }
} }
inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t glyph_id, inline hb_blob_t *reference_blob_for_glyph (hb_codepoint_t glyph_id,
unsigned int ptem HB_UNUSED, unsigned int ptem HB_UNUSED,
unsigned int requested_ppem, unsigned int requested_ppem,
unsigned int requested_file_type, unsigned int requested_file_type,
@ -187,7 +193,8 @@ struct sbix
const SBIXStrike &strike = sbix_table+sbix_table->strikes[group]; const SBIXStrike &strike = sbix_table+sbix_table->strikes[group];
if (available_x_ppem) *available_x_ppem = strike.get_ppem (); if (available_x_ppem) *available_x_ppem = strike.get_ppem ();
if (available_y_ppem) *available_y_ppem = strike.get_ppem (); if (available_y_ppem) *available_y_ppem = strike.get_ppem ();
return strike.get_glyph_blob (glyph_id, sbix_blob, sbix_table->strikes[group], return strike.get_glyph_blob (glyph_id, sbix_blob, sbix_len,
sbix_table->strikes[group],
nullptr, nullptr, requested_file_type, num_glyphs); nullptr, nullptr, requested_file_type, num_glyphs);
} }
@ -200,7 +207,6 @@ struct sbix
unsigned int sbix_len; unsigned int sbix_len;
unsigned int num_glyphs; unsigned int num_glyphs;
hb_vector_t<hb_vector_t<unsigned int> > data_offsets;
}; };
protected: protected:

View File

@ -50,7 +50,7 @@ struct SVGDocumentIndexEntry
return b->cmp (*a); return b->cmp (*a);
} }
inline hb_blob_t* reference_blob (hb_blob_t *svg_blob, unsigned int index_offset) const inline hb_blob_t *reference_blob (hb_blob_t *svg_blob, unsigned int index_offset) const
{ {
if (svgDocLength == 0) return hb_blob_get_empty (); if (svgDocLength == 0) return hb_blob_get_empty ();
return hb_blob_create_sub_blob (svg_blob, (unsigned int) svgDoc + index_offset, return hb_blob_create_sub_blob (svg_blob, (unsigned int) svgDoc + index_offset,
@ -95,7 +95,7 @@ struct SVG
hb_blob_destroy (svg_blob); hb_blob_destroy (svg_blob);
} }
inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t glyph_id) const inline hb_blob_t *reference_blob_for_glyph (hb_codepoint_t glyph_id) const
{ {
if (unlikely (svg_len == 0)) if (unlikely (svg_len == 0))
return hb_blob_get_empty (); return hb_blob_get_empty ();