Don't subset a glyf table with an unknown format.
Fixes fuzzer issue: https://oss-fuzz.com/testcase-detail/4875306193518592
This commit is contained in:
parent
cfa9541daa
commit
9286e12525
|
@ -31,6 +31,12 @@ struct glyf
|
||||||
|
|
||||||
static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf;
|
static constexpr hb_tag_t tableTag = HB_OT_TAG_glyf;
|
||||||
|
|
||||||
|
static bool has_valid_glyf_format(const hb_face_t* face)
|
||||||
|
{
|
||||||
|
const OT::head &head = *face->table.head;
|
||||||
|
return head.indexToLocFormat <= 1 && head.glyphDataFormat <= 1;
|
||||||
|
}
|
||||||
|
|
||||||
bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const
|
bool sanitize (hb_sanitize_context_t *c HB_UNUSED) const
|
||||||
{
|
{
|
||||||
TRACE_SANITIZE (this);
|
TRACE_SANITIZE (this);
|
||||||
|
@ -72,6 +78,13 @@ struct glyf
|
||||||
{
|
{
|
||||||
TRACE_SUBSET (this);
|
TRACE_SUBSET (this);
|
||||||
|
|
||||||
|
if (!has_valid_glyf_format (c->plan->source)) {
|
||||||
|
// glyf format is unknown don't attempt to subset it.
|
||||||
|
DEBUG_MSG (SUBSET, nullptr,
|
||||||
|
"unkown glyf format, dropping from subset.");
|
||||||
|
return_trace (false);
|
||||||
|
}
|
||||||
|
|
||||||
glyf *glyf_prime = c->serializer->start_embed <glyf> ();
|
glyf *glyf_prime = c->serializer->start_embed <glyf> ();
|
||||||
if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false);
|
if (unlikely (!c->serializer->check_success (glyf_prime))) return_trace (false);
|
||||||
|
|
||||||
|
@ -162,7 +175,7 @@ struct glyf_accelerator_t
|
||||||
vmtx = nullptr;
|
vmtx = nullptr;
|
||||||
#endif
|
#endif
|
||||||
const OT::head &head = *face->table.head;
|
const OT::head &head = *face->table.head;
|
||||||
if (head.indexToLocFormat > 1 || head.glyphDataFormat > 1)
|
if (!glyf::has_valid_glyf_format (face))
|
||||||
/* Unknown format. Leave num_glyphs=0, that takes care of disabling us. */
|
/* Unknown format. Leave num_glyphs=0, that takes care of disabling us. */
|
||||||
return;
|
return;
|
||||||
short_offset = 0 == head.indexToLocFormat;
|
short_offset = 0 == head.indexToLocFormat;
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue