Add guard to copy_glyph_at_idx

This commit is contained in:
ckitagawa 2020-02-04 09:49:24 -05:00
parent e128f80278
commit b114b26a56
2 changed files with 9 additions and 2 deletions

View File

@ -65,7 +65,7 @@ bool CBLC::subset (hb_subset_context_t *c) const
CBDT_internal::copy_data_to_cbdt (&cbdt_prime, cbdt, CBDT::min_size); CBDT_internal::copy_data_to_cbdt (&cbdt_prime, cbdt, CBDT::min_size);
for (const BitmapSizeTable& table : + sizeTables.iter ()) for (const BitmapSizeTable& table : + sizeTables.iter ())
subset_size_table (c, table, (const char *) cbdt, cblc_prime, &cbdt_prime); subset_size_table (c, table, (const char *) cbdt, cbdt_length, cblc_prime, &cbdt_prime);
hb_blob_destroy (cbdt_blob); hb_blob_destroy (cbdt_blob);

View File

@ -55,6 +55,7 @@ HB_INTERNAL bool copy_data_to_cbdt (hb_vector_t<char> *cbdt_prime,
struct cblc_bitmap_size_subset_context_t struct cblc_bitmap_size_subset_context_t
{ {
const char *cbdt; const char *cbdt;
unsigned int cbdt_length;
hb_vector_t<char> *cbdt_prime; hb_vector_t<char> *cbdt_prime;
unsigned int size; /* INOUT unsigned int size; /* INOUT
* Input: old size of IndexSubtable * Input: old size of IndexSubtable
@ -265,6 +266,7 @@ struct IndexSubtable
bool copy_glyph_at_idx (hb_serialize_context_t *c, bool copy_glyph_at_idx (hb_serialize_context_t *c,
unsigned int idx, unsigned int idx,
const char *cbdt, const char *cbdt,
unsigned int cbdt_length,
hb_vector_t<char> *cbdt_prime /* INOUT */, hb_vector_t<char> *cbdt_prime /* INOUT */,
IndexSubtable *subtable_prime /* INOUT */, IndexSubtable *subtable_prime /* INOUT */,
unsigned int *size /* OUT (accumulated) */) const unsigned int *size /* OUT (accumulated) */) const
@ -273,6 +275,7 @@ struct IndexSubtable
unsigned int offset, length, format; unsigned int offset, length, format;
if (unlikely (!get_image_data (idx, &offset, &length, &format))) return_trace (false); if (unlikely (!get_image_data (idx, &offset, &length, &format))) return_trace (false);
if (unlikely (offset > cbdt_length || cbdt_length - offset < length)) return_trace (false);
auto* header_prime = subtable_prime->get_header(); auto* header_prime = subtable_prime->get_header();
unsigned int new_local_offset = cbdt_prime->length - (unsigned int) header_prime->imageDataOffset; unsigned int new_local_offset = cbdt_prime->length - (unsigned int) header_prime->imageDataOffset;
@ -414,6 +417,7 @@ struct IndexSubtableRecord
if (unlikely (!next_subtable->copy_glyph_at_idx (c->serializer, if (unlikely (!next_subtable->copy_glyph_at_idx (c->serializer,
old_idx, old_idx,
bitmap_size_context->cbdt, bitmap_size_context->cbdt,
bitmap_size_context->cbdt_length,
bitmap_size_context->cbdt_prime, bitmap_size_context->cbdt_prime,
subtable, subtable,
&bitmap_size_context->size))) &bitmap_size_context->size)))
@ -620,6 +624,7 @@ struct BitmapSizeTable
const void *src_base, const void *src_base,
const void *dst_base, const void *dst_base,
const char *cbdt, const char *cbdt,
unsigned int cbdt_length,
hb_vector_t<char> *cbdt_prime /* INOUT */) const hb_vector_t<char> *cbdt_prime /* INOUT */) const
{ {
TRACE_SUBSET (this); TRACE_SUBSET (this);
@ -628,6 +633,7 @@ struct BitmapSizeTable
cblc_bitmap_size_subset_context_t bitmap_size_context; cblc_bitmap_size_subset_context_t bitmap_size_context;
bitmap_size_context.cbdt = cbdt; bitmap_size_context.cbdt = cbdt;
bitmap_size_context.cbdt_length = cbdt_length;
bitmap_size_context.cbdt_prime = cbdt_prime; bitmap_size_context.cbdt_prime = cbdt_prime;
bitmap_size_context.size = indexTablesSize; bitmap_size_context.size = indexTablesSize;
bitmap_size_context.num_tables = numberOfIndexSubtables; bitmap_size_context.num_tables = numberOfIndexSubtables;
@ -729,6 +735,7 @@ struct CBLC
bool subset_size_table (hb_subset_context_t *c, bool subset_size_table (hb_subset_context_t *c,
const BitmapSizeTable& table, const BitmapSizeTable& table,
const char *cbdt /* IN */, const char *cbdt /* IN */,
unsigned int cbdt_length,
CBLC *cblc_prime /* INOUT */, CBLC *cblc_prime /* INOUT */,
hb_vector_t<char> *cbdt_prime /* INOUT */) const hb_vector_t<char> *cbdt_prime /* INOUT */) const
{ {
@ -738,7 +745,7 @@ struct CBLC
auto snap = c->serializer->snapshot (); auto snap = c->serializer->snapshot ();
auto cbdt_prime_len = cbdt_prime->length; auto cbdt_prime_len = cbdt_prime->length;
if (!table.subset (c, this, cblc_prime, cbdt, cbdt_prime)) if (!table.subset (c, this, cblc_prime, cbdt, cbdt_length, cbdt_prime))
{ {
cblc_prime->sizeTables.len--; cblc_prime->sizeTables.len--;
c->serializer->revert (snap); c->serializer->revert (snap);