[kerx] Fix Format1 tupleKern sanitization
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11312 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11305
This commit is contained in:
parent
f9e0552deb
commit
752bd8a192
|
@ -262,10 +262,12 @@ struct KerxSubTableFormat1
|
||||||
|
|
||||||
if (Format1EntryT::performAction (entry))
|
if (Format1EntryT::performAction (entry))
|
||||||
{
|
{
|
||||||
|
unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
|
||||||
|
|
||||||
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
|
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
|
||||||
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
|
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
|
||||||
const FWORD *actions = &kernAction[kern_idx];
|
const FWORD *actions = &kernAction[kern_idx];
|
||||||
if (!c->sanitizer.check_array (actions, depth))
|
if (!c->sanitizer.check_array (actions, depth * tuple_count))
|
||||||
{
|
{
|
||||||
depth = 0;
|
depth = 0;
|
||||||
return false;
|
return false;
|
||||||
|
@ -276,8 +278,6 @@ struct KerxSubTableFormat1
|
||||||
/* From Apple 'kern' spec:
|
/* From Apple 'kern' spec:
|
||||||
* "Each pops one glyph from the kerning stack and applies the kerning value to it.
|
* "Each pops one glyph from the kerning stack and applies the kerning value to it.
|
||||||
* The end of the list is marked by an odd value... */
|
* The end of the list is marked by an odd value... */
|
||||||
unsigned int tuple_count = table->header.tuple_count ();
|
|
||||||
tuple_count = tuple_count ? tuple_count : 1;
|
|
||||||
bool last = false;
|
bool last = false;
|
||||||
while (!last && depth--)
|
while (!last && depth--)
|
||||||
{
|
{
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue