walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[aat] Make sure Lookup offset is never nulled 

It has unbounded size...

Fixes https://oss-fuzz.com/v2/testcase-detail/5718889451749376
This commit is contained in:
Behdad Esfahbod 2018-10-16 15:40:44 -07:00
parent 1aa353e4fc
commit 87205ef935
5 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hb-aat-layout-ankr-table.hh
View File

@ -82,7 +82,7 @@ struct ankr
protected: protected:
HBUINT16 version; /* Version number (set to zero) */ HBUINT16 version; /* Version number (set to zero) */
HBUINT16 flags; /* Flags (currently unused; set to zero) */ HBUINT16 flags; /* Flags (currently unused; set to zero) */
LOffsetTo<Lookup<Offset<HBUINT16, false> > > LOffsetTo<Lookup<Offset<HBUINT16, false> >, false>
lookupTable; /* Offset to the table's lookup table */ lookupTable; /* Offset to the table's lookup table */
LOffsetTo<HBUINT8> LOffsetTo<HBUINT8>
anchorData; /* Offset to the glyph data table */ anchorData; /* Offset to the glyph data table */

3
src/hb-aat-layout-common.hh
View File

@ -291,7 +291,8 @@ struct Lookup
LookupFormat8<T> format8; LookupFormat8<T> format8;
} u; } u;
public: public:
DEFINE_SIZE_UNION (2, format); DEFINE_SIZE_MIN (0); /* 0 min size, makes sure this cannot be used on null pool,
because Format0 has unbounded size depending on num_glyphs. */
}; };

18
src/hb-aat-layout-kerx-table.hh
View File

@ -278,10 +278,10 @@ struct KerxSubTableFormat2
protected: protected:
KerxSubTableHeader header; KerxSubTableHeader header;
HBUINT32 rowWidth; /* The width, in bytes, of a row in the table. */ HBUINT32 rowWidth; /* The width, in bytes, of a row in the table. */
LOffsetTo<Lookup<HBUINT16> > LOffsetTo<Lookup<HBUINT16>, false>
leftClassTable; /* Offset from beginning of this subtable to leftClassTable; /* Offset from beginning of this subtable to
* left-hand class table. */ * left-hand class table. */
LOffsetTo<Lookup<HBUINT16> > LOffsetTo<Lookup<HBUINT16>, false>
rightClassTable;/* Offset from beginning of this subtable to rightClassTable;/* Offset from beginning of this subtable to
* right-hand class table. */ * right-hand class table. */
LOffsetTo<UnsizedArrayOf<FWORD>, false> LOffsetTo<UnsizedArrayOf<FWORD>, false>
@ -548,17 +548,15 @@ struct KerxSubTableFormat6
{ {
struct Long struct Long
{ {
LOffsetTo<Lookup<HBUINT32> > rowIndexTable; LOffsetTo<Lookup<HBUINT32>, false> rowIndexTable;
LOffsetTo<Lookup<HBUINT32> > columnIndexTable; LOffsetTo<Lookup<HBUINT32>, false> columnIndexTable;
LOffsetTo<UnsizedArrayOf<FWORD32>, false> LOffsetTo<UnsizedArrayOf<FWORD32>, false> array;
array;
} l; } l;
struct Short struct Short
{ {
LOffsetTo<Lookup<HBUINT16> > rowIndexTable; LOffsetTo<Lookup<HBUINT16>, false> rowIndexTable;
LOffsetTo<Lookup<HBUINT16> > columnIndexTable; LOffsetTo<Lookup<HBUINT16>, false> columnIndexTable;
LOffsetTo<UnsizedArrayOf<FWORD>, false> LOffsetTo<UnsizedArrayOf<FWORD>, false> array;
array;
} s; } s;
} u; } u;
public: public:

4
src/hb-aat-layout-morx-table.hh
View File

@ -270,7 +270,7 @@ struct ContextualSubtable
private: private:
bool mark_set; bool mark_set;
unsigned int mark; unsigned int mark;
const UnsizedOffsetListOf<Lookup<GlyphID>, HBUINT32> &subs; const UnsizedOffsetListOf<Lookup<GlyphID>, HBUINT32, false> &subs;
}; };
inline bool apply (hb_aat_apply_context_t *c) const inline bool apply (hb_aat_apply_context_t *c) const
@ -311,7 +311,7 @@ struct ContextualSubtable
protected: protected:
StateTable<EntryData> StateTable<EntryData>
machine; machine;
LOffsetTo<UnsizedOffsetListOf<Lookup<GlyphID>, HBUINT32>, false> LOffsetTo<UnsizedOffsetListOf<Lookup<GlyphID>, HBUINT32, false>, false>
substitutionTables; substitutionTables;
public: public:
DEFINE_SIZE_STATIC (20); DEFINE_SIZE_STATIC (20);

12
src/hb-open-type.hh
View File

@ -385,12 +385,12 @@ struct UnsizedArrayOf
}; };
/* Unsized array of offset's */ /* Unsized array of offset's */
template <typename Type, typename OffsetType> template <typename Type, typename OffsetType, bool has_null=true>
struct UnsizedOffsetArrayOf : UnsizedArrayOf<OffsetTo<Type, OffsetType> > {}; struct UnsizedOffsetArrayOf : UnsizedArrayOf<OffsetTo<Type, OffsetType, has_null> > {};
/* Unsized array of offsets relative to the beginning of the array itself. */ /* Unsized array of offsets relative to the beginning of the array itself. */
template <typename Type, typename OffsetType> template <typename Type, typename OffsetType, bool has_null=true>
struct UnsizedOffsetListOf : UnsizedOffsetArrayOf<Type, OffsetType> struct UnsizedOffsetListOf : UnsizedOffsetArrayOf<Type, OffsetType, has_null>
{ {
inline const Type& operator [] (unsigned int i) const inline const Type& operator [] (unsigned int i) const
{ {
@ -400,13 +400,13 @@ struct UnsizedOffsetListOf : UnsizedOffsetArrayOf<Type, OffsetType>
inline bool sanitize (hb_sanitize_context_t *c, unsigned int count) const inline bool sanitize (hb_sanitize_context_t *c, unsigned int count) const
{ {
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
return_trace ((UnsizedOffsetArrayOf<Type, OffsetType>::sanitize (c, count, this))); return_trace ((UnsizedOffsetArrayOf<Type, OffsetType, has_null>::sanitize (c, count, this)));
} }
template <typename T> template <typename T>
inline bool sanitize (hb_sanitize_context_t *c, unsigned int count, T user_data) const inline bool sanitize (hb_sanitize_context_t *c, unsigned int count, T user_data) const
{ {
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
return_trace ((UnsizedOffsetArrayOf<Type, OffsetType>::sanitize (c, count, this, user_data))); return_trace ((UnsizedOffsetArrayOf<Type, OffsetType, has_null>::sanitize (c, count, this, user_data)));
} }
}; };