walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[CBDT] Bound checks in reference_png

This commit is contained in:
Behdad Esfahbod 2018-10-30 13:14:56 -07:00
parent f236f79088
commit a2a7422aaf
1 changed files with 34 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
src/hb-ot-color-cbdt-table.hh
View File

@ -434,7 +434,6 @@ struct CBDT
case 17: { case 17: {
if (unlikely (image_length < GlyphBitmapDataFormat17::min_size)) if (unlikely (image_length < GlyphBitmapDataFormat17::min_size))
return false; return false;
const GlyphBitmapDataFormat17& glyphFormat17 = const GlyphBitmapDataFormat17& glyphFormat17 =
StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset);
glyphFormat17.glyphMetrics.get_extents (extents); glyphFormat17.glyphMetrics.get_extents (extents);
@ -473,30 +472,42 @@ struct CBDT
if (!subtable_record->get_image_data (glyph, base, &image_offset, &image_length, &image_format)) if (!subtable_record->get_image_data (glyph, base, &image_offset, &image_length, &image_format))
return hb_blob_get_empty (); return hb_blob_get_empty ();
switch (image_format)
{ {
case 17: { if (unlikely (image_offset > cbdt_len || cbdt_len - image_offset < image_length))
const GlyphBitmapDataFormat17& glyphFormat17 = return hb_blob_get_empty ();
StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob, switch (image_format)
image_offset + GlyphBitmapDataFormat17::min_size, {
glyphFormat17.data.len); case 17: {
} if (unlikely (image_length < GlyphBitmapDataFormat17::min_size))
case 18: { return hb_blob_get_empty ();
const GlyphBitmapDataFormat18& glyphFormat18 = const GlyphBitmapDataFormat17& glyphFormat17 =
StructAtOffset<GlyphBitmapDataFormat18> (this->cbdt, image_offset); StructAtOffset<GlyphBitmapDataFormat17> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob, return hb_blob_create_sub_blob (cbdt_blob,
image_offset + GlyphBitmapDataFormat18::min_size, image_offset + GlyphBitmapDataFormat17::min_size,
glyphFormat18.data.len); glyphFormat17.data.len);
} }
case 19: { case 18: {
const GlyphBitmapDataFormat19& glyphFormat19 = if (unlikely (image_length < GlyphBitmapDataFormat18::min_size))
StructAtOffset<GlyphBitmapDataFormat19> (this->cbdt, image_offset); return hb_blob_get_empty ();
return hb_blob_create_sub_blob (cbdt_blob, const GlyphBitmapDataFormat18& glyphFormat18 =
image_offset + GlyphBitmapDataFormat19::min_size, StructAtOffset<GlyphBitmapDataFormat18> (this->cbdt, image_offset);
glyphFormat19.data.len); return hb_blob_create_sub_blob (cbdt_blob,
} image_offset + GlyphBitmapDataFormat18::min_size,
glyphFormat18.data.len);
}
case 19: {
if (unlikely (image_length < GlyphBitmapDataFormat19::min_size))
return hb_blob_get_empty ();
const GlyphBitmapDataFormat19& glyphFormat19 =
StructAtOffset<GlyphBitmapDataFormat19> (this->cbdt, image_offset);
return hb_blob_create_sub_blob (cbdt_blob,
image_offset + GlyphBitmapDataFormat19::min_size,
glyphFormat19.data.len);
}
}
} }
return hb_blob_get_empty (); return hb_blob_get_empty ();
} }