walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[AAT] Fix ankr table access 

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=918340
This commit is contained in:
Behdad Esfahbod 2019-01-14 14:37:36 -05:00
parent 760303d411
commit a3fa7d3336
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/hb-aat-layout-ankr-table.hh
View File

@ -69,8 +69,8 @@ struct ankr
if (!offset) if (!offset)
return Null(Anchor); return Null(Anchor);
const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset); const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
/* TODO Use sanitizer; to avoid overflows and more. */ if (unlikely (end - (const char *) &anchors < anchors.len.static_size ||
if (unlikely ((const char *) &anchors + anchors.get_size () > end)) end - (const char *) &anchors < anchors.get_size ()))
return Null(Anchor); return Null(Anchor);
return anchors[i]; return anchors[i];
} }
@ -80,7 +80,8 @@ struct ankr
TRACE_SANITIZE (this); TRACE_SANITIZE (this);
return_trace (likely (c->check_struct (this) && return_trace (likely (c->check_struct (this) &&
version == 0 && version == 0 &&
lookupTable.sanitize (c, this))); lookupTable.sanitize (c, this) &&
anchorData.sanitize (c, this) /* Just one byte. */));
} }
protected: protected:

BIN
test/fuzzing/fonts/clusterfuzz-testcase-minimized-harfbuzz_fuzzer-5126525414014976 Normal file
View File

Binary file not shown.