walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[aat] Fix mul overflow 

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10897
This commit is contained in:
Behdad Esfahbod 2018-10-11 15:56:17 -04:00
parent 1d995a340b
commit e940530c97
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/hb-aat-layout-common.hh
View File

@ -386,6 +386,8 @@ struct StateTable
const HBUINT16 *states = (this+stateArrayTable).arrayZ; const HBUINT16 *states = (this+stateArrayTable).arrayZ;
const Entry<Extra> *entries = (this+entryTable).arrayZ; const Entry<Extra> *entries = (this+entryTable).arrayZ;
unsigned int num_classes = nClasses;
unsigned int num_states = 1; unsigned int num_states = 1;
unsigned int num_entries = 0; unsigned int num_entries = 0;
@ -393,13 +395,16 @@ struct StateTable
unsigned int entry = 0; unsigned int entry = 0;
while (state < num_states) while (state < num_states)
{ {
if (unlikely (hb_unsigned_mul_overflows (num_classes, states[0].static_size)))
return_trace (false);
if (unlikely (!c->check_array (states, if (unlikely (!c->check_array (states,
num_states, num_states,
states[0].static_size * nClasses))) num_classes * states[0].static_size)))
return_trace (false); return_trace (false);
{ /* Sweep new states. */ { /* Sweep new states. */
const HBUINT16 *stop = &states[num_states * nClasses]; const HBUINT16 *stop = &states[num_states * num_classes];
for (const HBUINT16 *p = &states[state * nClasses]; p < stop; p++) for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++)
num_entries = MAX<unsigned int> (num_entries, *p + 1); num_entries = MAX<unsigned int> (num_entries, *p + 1);
state = num_states; state = num_states;
} }