[hdmx] Fix bounds checking

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351
This commit is contained in:
Behdad Esfahbod 2018-11-16 02:02:24 -05:00
parent af727b4e62
commit cb4bf85b14
1 changed files with 5 additions and 6 deletions

View File

@ -66,12 +66,9 @@ struct DeviceRecord
if (unlikely (i >= len ())) return nullptr; if (unlikely (i >= len ())) return nullptr;
hb_codepoint_t gid = this->subset_plan->glyphs [i]; hb_codepoint_t gid = this->subset_plan->glyphs [i];
const HBUINT8* width = &(this->source_device_record->widthsZ[gid]); if (gid >= sizeDeviceRecord - DeviceRecord::min_size)
if (width < ((const HBUINT8 *) this->source_device_record) + sizeDeviceRecord)
return width;
else
return nullptr; return nullptr;
return &(this->source_device_record->widthsZ[gid]);
} }
}; };
@ -135,6 +132,8 @@ struct hdmx
inline const DeviceRecord& operator [] (unsigned int i) const inline const DeviceRecord& operator [] (unsigned int i) const
{ {
/* XXX Null(DeviceRecord) is NOT safe as it's num-glyphs lengthed.
* https://github.com/harfbuzz/harfbuzz/issues/1300 */
if (unlikely (i >= numRecords)) return Null (DeviceRecord); if (unlikely (i >= numRecords)) return Null (DeviceRecord);
return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord); return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord);
} }