[kerx] Fix Format1 tupleKern sanitization

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11312
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11305
This commit is contained in:
Behdad Esfahbod 2018-11-10 21:13:13 -05:00
parent f9e0552deb
commit 752bd8a192
2 changed files with 3 additions and 3 deletions

View File

@ -262,10 +262,12 @@ struct KerxSubTableFormat1
if (Format1EntryT::performAction (entry)) if (Format1EntryT::performAction (entry))
{ {
unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry); unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ); kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
const FWORD *actions = &kernAction[kern_idx]; const FWORD *actions = &kernAction[kern_idx];
if (!c->sanitizer.check_array (actions, depth)) if (!c->sanitizer.check_array (actions, depth * tuple_count))
{ {
depth = 0; depth = 0;
return false; return false;
@ -276,8 +278,6 @@ struct KerxSubTableFormat1
/* From Apple 'kern' spec: /* From Apple 'kern' spec:
* "Each pops one glyph from the kerning stack and applies the kerning value to it. * "Each pops one glyph from the kerning stack and applies the kerning value to it.
* The end of the list is marked by an odd value... */ * The end of the list is marked by an odd value... */
unsigned int tuple_count = table->header.tuple_count ();
tuple_count = tuple_count ? tuple_count : 1;
bool last = false; bool last = false;
while (!last && depth--) while (!last && depth--)
{ {