[hangul] Fix use-after-free issue

out_info might have moved since we copied it's position into local
info var.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=894937
This commit is contained in:
Behdad Esfahbod 2018-10-13 09:47:51 -04:00
parent 63109432cf
commit ed2ee78136
1 changed files with 9 additions and 7 deletions

View File

@ -345,13 +345,6 @@ preprocess_text_hangul (const hb_ot_shape_plan_t *plan,
{ {
unsigned int s_len = tindex ? 3 : 2; unsigned int s_len = tindex ? 3 : 2;
buffer->replace_glyphs (1, s_len, decomposed); buffer->replace_glyphs (1, s_len, decomposed);
if (unlikely (!buffer->successful))
return;
/* We decomposed S: apply jamo features to the individual glyphs
* that are now in buffer->out_info.
*/
hb_glyph_info_t *info = buffer->out_info;
/* If we decomposed an LV because of a non-combining T following, /* If we decomposed an LV because of a non-combining T following,
* we want to include this T in the syllable. * we want to include this T in the syllable.
@ -361,6 +354,14 @@ preprocess_text_hangul (const hb_ot_shape_plan_t *plan,
buffer->next_glyph (); buffer->next_glyph ();
s_len++; s_len++;
} }
if (unlikely (!buffer->successful))
return;
/* We decomposed S: apply jamo features to the individual glyphs
* that are now in buffer->out_info.
*/
hb_glyph_info_t *info = buffer->out_info;
end = start + s_len; end = start + s_len;
unsigned int i = start; unsigned int i = start;
@ -368,6 +369,7 @@ preprocess_text_hangul (const hb_ot_shape_plan_t *plan,
info[i++].hangul_shaping_feature() = VJMO; info[i++].hangul_shaping_feature() = VJMO;
if (i < end) if (i < end)
info[i++].hangul_shaping_feature() = TJMO; info[i++].hangul_shaping_feature() = TJMO;
if (buffer->cluster_level == HB_BUFFER_CLUSTER_LEVEL_MONOTONE_GRAPHEMES) if (buffer->cluster_level == HB_BUFFER_CLUSTER_LEVEL_MONOTONE_GRAPHEMES)
buffer->merge_out_clusters (start, end); buffer->merge_out_clusters (start, end);
continue; continue;