[kerx/morx] Make sure object length is sanitized before accessing it

This commit is contained in:
Behdad Esfahbod 2018-11-24 09:47:45 -05:00
parent 70d80c90fe
commit 8dcc1913a1
2 changed files with 10 additions and 0 deletions

View File

@ -962,6 +962,11 @@ struct KerxTable
unsigned int count = thiz()->tableCount; unsigned int count = thiz()->tableCount;
for (unsigned int i = 0; i < count; i++) for (unsigned int i = 0; i < count; i++)
{ {
if (unlikely (!st->u.header.sanitize (c)))
{
c->reset_object ();
return_trace (false);
}
/* OpenType kern table has 2-byte subtable lengths. That's limiting. /* OpenType kern table has 2-byte subtable lengths. That's limiting.
* MS implementation also only supports one subtable, of format 0, * MS implementation also only supports one subtable, of format 0,
* anyway. Certain versions of some fonts, like Calibry, contain * anyway. Certain versions of some fonts, like Calibry, contain

View File

@ -1061,6 +1061,11 @@ struct Chain
unsigned int count = subtableCount; unsigned int count = subtableCount;
for (unsigned int i = 0; i < count; i++) for (unsigned int i = 0; i < count; i++)
{ {
if (unlikely (!c->check_struct (subtable)))
{
c->reset_object ();
return_trace (false);
}
c->set_object (*subtable); c->set_object (*subtable);
if (!subtable->sanitize (c)) if (!subtable->sanitize (c))
return_trace (false); return_trace (false);