[AAT] Fix ankr table access

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=918340
This commit is contained in:
Behdad Esfahbod 2019-01-14 14:37:36 -05:00
parent 760303d411
commit a3fa7d3336
2 changed files with 4 additions and 3 deletions

View File

@ -69,8 +69,8 @@ struct ankr
if (!offset)
return Null(Anchor);
const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
/* TODO Use sanitizer; to avoid overflows and more. */
if (unlikely ((const char *) &anchors + anchors.get_size () > end))
if (unlikely (end - (const char *) &anchors < anchors.len.static_size ||
end - (const char *) &anchors < anchors.get_size ()))
return Null(Anchor);
return anchors[i];
}
@ -80,7 +80,8 @@ struct ankr
TRACE_SANITIZE (this);
return_trace (likely (c->check_struct (this) &&
version == 0 &&
lookupTable.sanitize (c, this)));
lookupTable.sanitize (c, this) &&
anchorData.sanitize (c, this) /* Just one byte. */));
}
protected: