Henri Verbeet : usp10: Range check glyph counts in GSUB_apply_ChainContextSubst().
Alexandre Julliard
julliard at winehq.org
Thu Apr 6 15:05:24 CDT 2017
Module: wine
Branch: master
Commit: f7b943edbc1e3227db13b3384f9513e98580b8ce
URL: http://source.winehq.org/git/wine.git/?a=commit;h=f7b943edbc1e3227db13b3384f9513e98580b8ce
Author: Henri Verbeet <hverbeet at codeweavers.com>
Date: Thu Apr 6 12:03:44 2017 +0200
usp10: Range check glyph counts in GSUB_apply_ChainContextSubst().
Like in GPOS_apply_ChainContextPos().
Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
Signed-off-by: Aric Stewart <aric at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/usp10/opentype.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
index 76a559c..81a5180 100644
--- a/dlls/usp10/opentype.c
+++ b/dlls/usp10/opentype.c
@@ -1291,10 +1291,22 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo
offset = GET_BE_WORD(csc->ChainSubClassRule[i]);
backtrack = (const GSUB_ChainSubClassRule_1 *)((BYTE *)csc + offset);
backtrack_count = GET_BE_WORD(backtrack->BacktrackGlyphCount);
+ k = glyph_index + dirBacktrack * backtrack_count;
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
input = (const GSUB_ChainSubClassRule_2 *)&backtrack->Backtrack[backtrack_count];
input_count = GET_BE_WORD(input->InputGlyphCount) - 1;
+ k = glyph_index + write_dir * input_count;
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
lookahead = (const GSUB_ChainSubClassRule_3 *)&input->Input[input_count];
lookahead_count = GET_BE_WORD(lookahead->LookaheadGlyphCount);
+ k = glyph_index + dirLookahead * (input_count + lookahead_count);
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
substitute = (const GSUB_ChainSubClassRule_4 *)&lookahead->LookAhead[lookahead_count];
for (k = 0; k < backtrack_count; ++k)
@@ -1365,10 +1377,22 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo
backtrack = (const GSUB_ChainContextSubstFormat3_1 *)ccsf1;
backtrack_count = GET_BE_WORD(backtrack->BacktrackGlyphCount);
+ k = glyph_index + dirBacktrack * backtrack_count;
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
input = (const GSUB_ChainContextSubstFormat3_2 *)&backtrack->Coverage[backtrack_count];
input_count = GET_BE_WORD(input->InputGlyphCount);
+ k = glyph_index + write_dir * (input_count - 1);
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
lookahead = (const GSUB_ChainContextSubstFormat3_3 *)&input->Coverage[input_count];
lookahead_count = GET_BE_WORD(lookahead->LookaheadGlyphCount);
+ k = glyph_index + dirLookahead * (input_count + lookahead_count - 1);
+ if (k < 0 || k >= *glyph_count)
+ continue;
+
substitute = (const GSUB_ChainContextSubstFormat3_4 *)&lookahead->Coverage[lookahead_count];
for (k = 0; k < backtrack_count; ++k)
More information about the wine-cvs
mailing list