Henri Verbeet : usp10: Range check glyph counts in GPOS_apply_ChainContextPos().
Alexandre Julliard
julliard at winehq.org
Wed Apr 5 16:17:07 CDT 2017
Module: wine
Branch: master
Commit: 7dfe9b9c94e5c57a2b6c0b1252e72b78a17a678d
URL: http://source.winehq.org/git/wine.git/?a=commit;h=7dfe9b9c94e5c57a2b6c0b1252e72b78a17a678d
Author: Henri Verbeet <hverbeet at codeweavers.com>
Date: Wed Apr 5 10:21:28 2017 +0200
usp10: Range check glyph counts in GPOS_apply_ChainContextPos().
I.e., avoid accessing outside the "glyphs" array. If we're particularly
unlucky we may actually get a match against data outside the array.
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Aric Stewart <aric at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/usp10/opentype.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
index b5ee5d1..9c1d596 100644
--- a/dlls/usp10/opentype.c
+++ b/dlls/usp10/opentype.c
@@ -2235,10 +2235,22 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache,
TRACE(" subtype 3 (Coverage-based Chaining Context Glyph Positioning)\n");
backtrack_count = GET_BE_WORD(backtrack->BacktrackGlyphCount);
+ k = glyph_index + dirBacktrack * backtrack_count;
+ if (k < 0 || k >= glyph_count)
+ continue;
+
input = (const GPOS_ChainContextPosFormat3_2 *)&backtrack->Coverage[backtrack_count];
input_count = GET_BE_WORD(input->InputGlyphCount);
+ k = glyph_index + write_dir * (input_count - 1);
+ if (k < 0 || k >= glyph_count)
+ continue;
+
lookahead = (const GPOS_ChainContextPosFormat3_3 *)&input->Coverage[input_count];
lookahead_count = GET_BE_WORD(lookahead->LookaheadGlyphCount);
+ k = glyph_index + dirLookahead * (input_count + lookahead_count - 1);
+ if (k < 0 || k >= glyph_count)
+ continue;
+
positioning = (const GPOS_ChainContextPosFormat3_4 *)&lookahead->Coverage[lookahead_count];
for (k = 0; k < backtrack_count; ++k)
More information about the wine-cvs
mailing list