[glyf] Don't accept gids higher than maxp's glyphs number

This specially becomes concerning on sub-components where a gvar table
that is sanitized using maxp's glyphs number overflows when a high gid
accepted here goes to it, maybe an additional check can be put there
also, this however feels to be enough.

Fixes https://crbug.com/oss-fuzz/20944
This commit is contained in:
Ebrahim Byagowi 2020-02-28 23:19:06 +03:30 committed by GitHub
parent e642aab116
commit 758fda728b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 0 deletions

View File

@ -847,6 +847,7 @@ struct glyf
glyf_table = hb_sanitize_context_t ().reference_table<glyf> (face); glyf_table = hb_sanitize_context_t ().reference_table<glyf> (face);
num_glyphs = hb_max (1u, loca_table.get_length () / (short_offset ? 2 : 4)) - 1; num_glyphs = hb_max (1u, loca_table.get_length () / (short_offset ? 2 : 4)) - 1;
num_glyphs = hb_min (num_glyphs, face->get_num_glyphs ());
} }
void fini () void fini ()