[CFF] check out of range FD index (#1477)
* add fd index checks to subr subsetter also added oss-fuzz test case * undid SubrSubsetParam::is_valid because already validated by SubrClosures.valid
This commit is contained in:
parent
3f8e7a98d3
commit
bcb4ecaf68
|
@ -313,6 +313,8 @@ struct SubrFlattener
|
||||||
hb_codepoint_t glyph = glyphs[i];
|
hb_codepoint_t glyph = glyphs[i];
|
||||||
const ByteStr str = (*acc.charStrings)[glyph];
|
const ByteStr str = (*acc.charStrings)[glyph];
|
||||||
unsigned int fd = acc.fdSelect->get_fd (glyph);
|
unsigned int fd = acc.fdSelect->get_fd (glyph);
|
||||||
|
if (unlikely (fd >= acc.fdCount))
|
||||||
|
return false;
|
||||||
CSInterpreter<ENV, OPSET, FlattenParam> interp;
|
CSInterpreter<ENV, OPSET, FlattenParam> interp;
|
||||||
interp.env.init (str, acc, fd);
|
interp.env.init (str, acc, fd);
|
||||||
FlattenParam param = { flat_charstrings[i], drop_hints };
|
FlattenParam param = { flat_charstrings[i], drop_hints };
|
||||||
|
@ -684,6 +686,8 @@ struct SubrSubsetter
|
||||||
hb_codepoint_t glyph = glyphs[i];
|
hb_codepoint_t glyph = glyphs[i];
|
||||||
const ByteStr str = (*acc.charStrings)[glyph];
|
const ByteStr str = (*acc.charStrings)[glyph];
|
||||||
unsigned int fd = acc.fdSelect->get_fd (glyph);
|
unsigned int fd = acc.fdSelect->get_fd (glyph);
|
||||||
|
if (unlikely (fd >= acc.fdCount))
|
||||||
|
return false;
|
||||||
|
|
||||||
CSInterpreter<ENV, OPSET, SubrSubsetParam> interp;
|
CSInterpreter<ENV, OPSET, SubrSubsetParam> interp;
|
||||||
interp.env.init (str, acc, fd);
|
interp.env.init (str, acc, fd);
|
||||||
|
@ -707,6 +711,8 @@ struct SubrSubsetter
|
||||||
for (unsigned int i = 0; i < glyphs.len; i++)
|
for (unsigned int i = 0; i < glyphs.len; i++)
|
||||||
{
|
{
|
||||||
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
||||||
|
if (unlikely (fd >= acc.fdCount))
|
||||||
|
return false;
|
||||||
SubrSubsetParam param;
|
SubrSubsetParam param;
|
||||||
param.init (&parsed_charstrings[i],
|
param.init (&parsed_charstrings[i],
|
||||||
&parsed_global_subrs, &parsed_local_subrs[fd],
|
&parsed_global_subrs, &parsed_local_subrs[fd],
|
||||||
|
@ -727,6 +733,8 @@ struct SubrSubsetter
|
||||||
for (unsigned int i = 0; i < glyphs.len; i++)
|
for (unsigned int i = 0; i < glyphs.len; i++)
|
||||||
{
|
{
|
||||||
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
||||||
|
if (unlikely (fd >= acc.fdCount))
|
||||||
|
return false;
|
||||||
SubrSubsetParam param;
|
SubrSubsetParam param;
|
||||||
param.init (&parsed_charstrings[i],
|
param.init (&parsed_charstrings[i],
|
||||||
&parsed_global_subrs, &parsed_local_subrs[fd],
|
&parsed_global_subrs, &parsed_local_subrs[fd],
|
||||||
|
@ -748,6 +756,8 @@ struct SubrSubsetter
|
||||||
for (unsigned int i = 0; i < glyphs.len; i++)
|
for (unsigned int i = 0; i < glyphs.len; i++)
|
||||||
{
|
{
|
||||||
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
unsigned int fd = acc.fdSelect->get_fd (glyphs[i]);
|
||||||
|
if (unlikely (fd >= acc.fdCount))
|
||||||
|
return false;
|
||||||
if (unlikely (!encode_str (parsed_charstrings[i], fd, buffArray[i])))
|
if (unlikely (!encode_str (parsed_charstrings[i], fd, buffArray[i])))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue