[kerx] Fix Format1 tupleKern sanitization
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11312 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11305
This commit is contained in:
parent
f9e0552deb
commit
752bd8a192
|
@ -262,10 +262,12 @@ struct KerxSubTableFormat1
|
|||
|
||||
if (Format1EntryT::performAction (entry))
|
||||
{
|
||||
unsigned int tuple_count = MAX (1u, table->header.tuple_count ());
|
||||
|
||||
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
|
||||
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
|
||||
const FWORD *actions = &kernAction[kern_idx];
|
||||
if (!c->sanitizer.check_array (actions, depth))
|
||||
if (!c->sanitizer.check_array (actions, depth * tuple_count))
|
||||
{
|
||||
depth = 0;
|
||||
return false;
|
||||
|
@ -276,8 +278,6 @@ struct KerxSubTableFormat1
|
|||
/* From Apple 'kern' spec:
|
||||
* "Each pops one glyph from the kerning stack and applies the kerning value to it.
|
||||
* The end of the list is marked by an odd value... */
|
||||
unsigned int tuple_count = table->header.tuple_count ();
|
||||
tuple_count = tuple_count ? tuple_count : 1;
|
||||
bool last = false;
|
||||
while (!last && depth--)
|
||||
{
|
||||
|
|
Binary file not shown.
Loading…
Reference in New Issue