walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Check for offset overflows during sanitize

This commit is contained in:
Behdad Esfahbod 2016-12-02 19:51:23 -08:00
parent 4b58c9e326
commit 70eb2ff682
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hb-open-type-private.hh
View File

@ -806,6 +806,7 @@ struct OffsetTo : Offset<OffsetType>
if (unlikely (!c->check_struct (this))) return_trace (false); if (unlikely (!c->check_struct (this))) return_trace (false);
unsigned int offset = *this; unsigned int offset = *this;
if (unlikely (!offset)) return_trace (true); if (unlikely (!offset)) return_trace (true);
if (unlikely (!c->check_range (base, offset))) return_trace (false);
const Type &obj = StructAtOffset<Type> (base, offset); const Type &obj = StructAtOffset<Type> (base, offset);
return_trace (likely (obj.sanitize (c)) || neuter (c)); return_trace (likely (obj.sanitize (c)) || neuter (c));
} }
@ -816,6 +817,7 @@ struct OffsetTo : Offset<OffsetType>
if (unlikely (!c->check_struct (this))) return_trace (false); if (unlikely (!c->check_struct (this))) return_trace (false);
unsigned int offset = *this; unsigned int offset = *this;
if (unlikely (!offset)) return_trace (true); if (unlikely (!offset)) return_trace (true);
if (unlikely (!c->check_range (base, offset))) return_trace (false);
const Type &obj = StructAtOffset<Type> (base, offset); const Type &obj = StructAtOffset<Type> (base, offset);
return_trace (likely (obj.sanitize (c, user_data)) || neuter (c)); return_trace (likely (obj.sanitize (c, user_data)) || neuter (c));
} }