walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[subset] sanity check glyph data writes during glyph subsetting to ensure they are inbounds.

This commit is contained in:
Garret Rieger 2018-02-20 16:48:52 -08:00 committed by Behdad Esfahbod
parent 0ab73e5942
commit a998eeee4a
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/hb-subset-glyf.cc
View File

@ -89,7 +89,6 @@ _write_loca_entry (unsigned int id,
return false; return false;
} }
static void static void
_update_components (hb_subset_plan_t * plan, _update_components (hb_subset_plan_t * plan,
char * glyph_start, char * glyph_start,
@ -124,7 +123,6 @@ _write_glyf_and_loca_prime (hb_subset_plan_t *plan,
unsigned int loca_prime_size, unsigned int loca_prime_size,
char *loca_prime_data /* OUT */) char *loca_prime_data /* OUT */)
{ {
// TODO(grieger): Sanity check writes to make sure they are in-bounds.
hb_prealloced_array_t<hb_codepoint_t> &glyph_ids = plan->gids_to_retain_sorted; hb_prealloced_array_t<hb_codepoint_t> &glyph_ids = plan->gids_to_retain_sorted;
char *glyf_prime_data_next = glyf_prime_data; char *glyf_prime_data_next = glyf_prime_data;
@ -136,6 +134,15 @@ _write_glyf_and_loca_prime (hb_subset_plan_t *plan,
end_offset = start_offset = 0; end_offset = start_offset = 0;
int length = end_offset - start_offset; int length = end_offset - start_offset;
if (glyf_prime_data_next + length > glyf_prime_data + glyf_prime_size)
{
DEBUG_MSG (SUBSET,
nullptr,
"WARNING: Attempted to write an out of bounds glyph entry for gid %d",
i);
return false;
}
memcpy (glyf_prime_data_next, glyf_data + start_offset, length); memcpy (glyf_prime_data_next, glyf_data + start_offset, length);
success = success && _write_loca_entry (i, success = success && _write_loca_entry (i,