[kerx/morx] Make sure object length is sanitized before accessing it
This commit is contained in:
parent
70d80c90fe
commit
8dcc1913a1
|
@ -962,6 +962,11 @@ struct KerxTable
|
||||||
unsigned int count = thiz()->tableCount;
|
unsigned int count = thiz()->tableCount;
|
||||||
for (unsigned int i = 0; i < count; i++)
|
for (unsigned int i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
|
if (unlikely (!st->u.header.sanitize (c)))
|
||||||
|
{
|
||||||
|
c->reset_object ();
|
||||||
|
return_trace (false);
|
||||||
|
}
|
||||||
/* OpenType kern table has 2-byte subtable lengths. That's limiting.
|
/* OpenType kern table has 2-byte subtable lengths. That's limiting.
|
||||||
* MS implementation also only supports one subtable, of format 0,
|
* MS implementation also only supports one subtable, of format 0,
|
||||||
* anyway. Certain versions of some fonts, like Calibry, contain
|
* anyway. Certain versions of some fonts, like Calibry, contain
|
||||||
|
|
|
@ -1061,6 +1061,11 @@ struct Chain
|
||||||
unsigned int count = subtableCount;
|
unsigned int count = subtableCount;
|
||||||
for (unsigned int i = 0; i < count; i++)
|
for (unsigned int i = 0; i < count; i++)
|
||||||
{
|
{
|
||||||
|
if (unlikely (!c->check_struct (subtable)))
|
||||||
|
{
|
||||||
|
c->reset_object ();
|
||||||
|
return_trace (false);
|
||||||
|
}
|
||||||
c->set_object (*subtable);
|
c->set_object (*subtable);
|
||||||
if (!subtable->sanitize (c))
|
if (!subtable->sanitize (c))
|
||||||
return_trace (false);
|
return_trace (false);
|
||||||
|
|
Loading…
Reference in New Issue