From 6f7611375521c6d285a9aa763f2ea5cb44cd0d39 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Thu, 2 Aug 2012 04:00:31 -0400 Subject: [PATCH] [GSUB/GPOS] Check array size before accessing digests --- src/hb-ot-layout-private.hh | 3 +++ src/hb-ot-layout.cc | 32 ++++++++++++++++---------------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/src/hb-ot-layout-private.hh b/src/hb-ot-layout-private.hh index d87a13808..ea2e64d2c 100644 --- a/src/hb-ot-layout-private.hh +++ b/src/hb-ot-layout-private.hh @@ -170,6 +170,9 @@ struct hb_ot_layout_t const struct GSUB *gsub; const struct GPOS *gpos; + unsigned int gsub_lookup_count; + unsigned int gpos_lookup_count; + hb_set_digest_t *gsub_digests; hb_set_digest_t *gpos_digests; }; diff --git a/src/hb-ot-layout.cc b/src/hb-ot-layout.cc index c8f4d6993..63f30956a 100644 --- a/src/hb-ot-layout.cc +++ b/src/hb-ot-layout.cc @@ -58,22 +58,22 @@ _hb_ot_layout_create (hb_face_t *face) layout->gpos_blob = Sanitizer::sanitize (hb_face_reference_table (face, HB_OT_TAG_GPOS)); layout->gpos = Sanitizer::lock_instance (layout->gpos_blob); + layout->gsub_lookup_count = layout->gsub->get_lookup_count (); + layout->gpos_lookup_count = layout->gpos->get_lookup_count (); + layout->gsub_digests = (hb_set_digest_t *) calloc (layout->gsub->get_lookup_count (), sizeof (hb_set_digest_t)); layout->gpos_digests = (hb_set_digest_t *) calloc (layout->gpos->get_lookup_count (), sizeof (hb_set_digest_t)); - if (unlikely ((layout->gsub->get_lookup_count() && !layout->gsub_digests) || - (layout->gpos->get_lookup_count() && !layout->gpos_digests))) + if (unlikely ((layout->gsub_lookup_count && !layout->gsub_digests) || + (layout->gpos_lookup_count && !layout->gpos_digests))) { _hb_ot_layout_destroy (layout); return NULL; } - unsigned int count; - count = layout->gsub->get_lookup_count(); - for (unsigned int i = 0; i < count; i++) + for (unsigned int i = 0; i < layout->gsub_lookup_count; i++) layout->gsub->add_coverage (&layout->gsub_digests[i], i); - count = layout->gpos->get_lookup_count(); - for (unsigned int i = 0; i < count; i++) + for (unsigned int i = 0; i < layout->gpos_lookup_count; i++) layout->gpos->add_coverage (&layout->gpos_digests[i], i); return layout; @@ -405,9 +405,8 @@ hb_ot_layout_would_substitute_lookup (hb_face_t *face, unsigned int glyphs_length, unsigned int lookup_index) { - if (unlikely (glyphs_length < 1 || glyphs_length > 2)) return false; - hb_would_apply_context_t c (face, glyphs[0], glyphs_length == 2 ? glyphs[1] : -1, NULL); - return _get_gsub (face).would_substitute_lookup (&c, lookup_index); + if (unlikely (!hb_ot_shaper_face_data_ensure (face))) return false; + return hb_ot_layout_would_substitute_lookup_fast (face, glyphs, glyphs_length, lookup_index); } hb_bool_t @@ -417,6 +416,7 @@ hb_ot_layout_would_substitute_lookup_fast (hb_face_t *face, unsigned int lookup_index) { if (unlikely (glyphs_length < 1 || glyphs_length > 2)) return false; + if (unlikely (lookup_index >= hb_ot_layout_from_face (face)->gsub_lookup_count)) return false; hb_would_apply_context_t c (face, glyphs[0], glyphs_length == 2 ? glyphs[1] : -1, &hb_ot_layout_from_face (face)->gsub_digests[lookup_index]); return hb_ot_layout_from_face (face)->gsub->would_substitute_lookup (&c, lookup_index); } @@ -433,8 +433,8 @@ hb_ot_layout_substitute_lookup (hb_face_t *face, unsigned int lookup_index, hb_mask_t mask) { - hb_apply_context_t c (NULL, face, buffer, mask, NULL); - return _get_gsub (face).substitute_lookup (&c, lookup_index); + if (unlikely (!hb_ot_shaper_face_data_ensure (face))) return false; + return hb_ot_layout_substitute_lookup_fast (face, buffer, lookup_index, mask); } hb_bool_t @@ -443,6 +443,7 @@ hb_ot_layout_substitute_lookup_fast (hb_face_t *face, unsigned int lookup_index, hb_mask_t mask) { + if (unlikely (lookup_index >= hb_ot_layout_from_face (face)->gsub_lookup_count)) return false; hb_apply_context_t c (NULL, face, buffer, mask, &hb_ot_layout_from_face (face)->gsub_digests[lookup_index]); return hb_ot_layout_from_face (face)->gsub->substitute_lookup (&c, lookup_index); } @@ -484,8 +485,8 @@ hb_ot_layout_position_lookup (hb_font_t *font, unsigned int lookup_index, hb_mask_t mask) { - hb_apply_context_t c (font, font->face, buffer, mask, NULL); - return _get_gpos (font->face).position_lookup (&c, lookup_index); + if (unlikely (!hb_ot_shaper_face_data_ensure (font->face))) return false; + return hb_ot_layout_position_lookup_fast (font, buffer, lookup_index, mask); } hb_bool_t @@ -494,6 +495,7 @@ hb_ot_layout_position_lookup_fast (hb_font_t *font, unsigned int lookup_index, hb_mask_t mask) { + if (unlikely (lookup_index >= hb_ot_layout_from_face (font->face)->gpos_lookup_count)) return false; hb_apply_context_t c (font, font->face, buffer, mask, &hb_ot_layout_from_face (font->face)->gpos_digests[lookup_index]); return hb_ot_layout_from_face (font->face)->gpos->position_lookup (&c, lookup_index); } @@ -503,5 +505,3 @@ hb_ot_layout_position_finish (hb_font_t *font, hb_buffer_t *buffer, hb_bool_t ze { GPOS::position_finish (font, buffer, zero_width_attached_marks); } - -