[AAT] Fully sanitize ankr table at sanitize time
Third try to fix access. Followup 6879efc2c1
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12532
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=922303
This commit is contained in:
parent
6879efc2c1
commit
cc8e9a436f
|
@ -65,14 +65,10 @@ struct ankr
|
|||
unsigned int num_glyphs,
|
||||
const char *end) const
|
||||
{
|
||||
const Offset<HBUINT16, false> *offset = (this+lookupTable).get_value (glyph_id, num_glyphs);
|
||||
const OffsetTo<GlyphAnchors, HBUINT16, false> *offset = (this+lookupTable).get_value (glyph_id, num_glyphs);
|
||||
if (!offset)
|
||||
return Null(Anchor);
|
||||
const GlyphAnchors &anchors = StructAtOffset<GlyphAnchors> (&(this+anchorData), *offset);
|
||||
if (unlikely (end < (const char *) &anchors ||
|
||||
end - (const char *) &anchors < anchors.len.static_size ||
|
||||
end - (const char *) &anchors < anchors.get_size ()))
|
||||
return Null(Anchor);
|
||||
const GlyphAnchors &anchors = &(this+anchorData) + *offset;
|
||||
return anchors[i];
|
||||
}
|
||||
|
||||
|
@ -81,14 +77,13 @@ struct ankr
|
|||
TRACE_SANITIZE (this);
|
||||
return_trace (likely (c->check_struct (this) &&
|
||||
version == 0 &&
|
||||
lookupTable.sanitize (c, this) &&
|
||||
anchorData.sanitize (c, this) /* Just one byte. */));
|
||||
lookupTable.sanitize (c, this, &(this+anchorData))));
|
||||
}
|
||||
|
||||
protected:
|
||||
HBUINT16 version; /* Version number (set to zero) */
|
||||
HBUINT16 flags; /* Flags (currently unused; set to zero) */
|
||||
LOffsetTo<Lookup<Offset<HBUINT16, false> >, false>
|
||||
LOffsetTo<Lookup<OffsetTo<GlyphAnchors, HBUINT16, false> >, false>
|
||||
lookupTable; /* Offset to the table's lookup table */
|
||||
LOffsetTo<HBUINT8, false>
|
||||
anchorData; /* Offset to the glyph data table */
|
||||
|
|
Loading…
Reference in New Issue