walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[CBDT] Bound checks in reference_png

This commit is contained in:
Behdad Esfahbod 2018-10-30 13:14:56 -07:00
parent f236f79088
commit a2a7422aaf
1 changed files with 34 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/hb-ot-color-cbdt-table.hh
View File

@ -434,7 +434,6 @@ struct CBDT
case 17: { case 17: {
if (unlikely (image_length < GlyphBitmapDataFormat17::min_size)) if (unlikely (image_length < GlyphBitmapDataFormat17::min_size))
return false; return false;
const GlyphBitmapDataFormat17& glyphFormat17 = const GlyphBitmapDataFormat17& glyphFormat17 =
StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset);
glyphFormat17.glyphMetrics.get_extents (extents); glyphFormat17.glyphMetrics.get_extents (extents);
@ -473,9 +472,15 @@ struct CBDT
if (!subtable_record->get_image_data (glyph, base, &image_offset, &image_length, &image_format)) if (!subtable_record->get_image_data (glyph, base, &image_offset, &image_length, &image_format))
return hb_blob_get_empty (); return hb_blob_get_empty ();
{
if (unlikely (image_offset > cbdt_len || cbdt_len - image_offset < image_length))
return hb_blob_get_empty ();
switch (image_format) switch (image_format)
{ {
case 17: { case 17: {
if (unlikely (image_length < GlyphBitmapDataFormat17::min_size))
return hb_blob_get_empty ();
const GlyphBitmapDataFormat17& glyphFormat17 = const GlyphBitmapDataFormat17& glyphFormat17 =
StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob, return hb_blob_create_sub_blob (cbdt_blob,
@ -483,6 +488,8 @@ struct CBDT
glyphFormat17.data.len); glyphFormat17.data.len);
} }
case 18: { case 18: {
if (unlikely (image_length < GlyphBitmapDataFormat18::min_size))
return hb_blob_get_empty ();
const GlyphBitmapDataFormat18& glyphFormat18 = const GlyphBitmapDataFormat18& glyphFormat18 =
StructAtOffset<GlyphBitmapDataFormat18> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat18> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob, return hb_blob_create_sub_blob (cbdt_blob,
@ -490,6 +497,8 @@ struct CBDT
glyphFormat18.data.len); glyphFormat18.data.len);
} }
case 19: { case 19: {
if (unlikely (image_length < GlyphBitmapDataFormat19::min_size))
return hb_blob_get_empty ();
const GlyphBitmapDataFormat19& glyphFormat19 = const GlyphBitmapDataFormat19& glyphFormat19 =
StructAtOffset<GlyphBitmapDataFormat19> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat19> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob, return hb_blob_create_sub_blob (cbdt_blob,
@ -497,6 +506,8 @@ struct CBDT
glyphFormat19.data.len); glyphFormat19.data.len);
} }
} }
}
return hb_blob_get_empty (); return hb_blob_get_empty ();
} }