[PATCH 4/5] usp10: Range check glyph counts in GPOS_apply_ChainContextPos().
Aric Stewart
aric at codeweavers.com
Wed Apr 5 06:54:43 CDT 2017
Signed-off-by: Aric Stewart <aric at codeweavers.com>
On 4/5/17 3:21 AM, Henri Verbeet wrote:
> I.e., avoid accessing outside the "glyphs" array. If we're particularly
> unlucky we may actually get a match against data outside the array.
>
> Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
> ---
> dlls/usp10/opentype.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
> index b5ee5d1..9c1d596 100644
> --- a/dlls/usp10/opentype.c
> +++ b/dlls/usp10/opentype.c
> @@ -2235,10 +2235,22 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache,
> TRACE(" subtype 3 (Coverage-based Chaining Context Glyph Positioning)\n");
>
> backtrack_count = GET_BE_WORD(backtrack->BacktrackGlyphCount);
> + k = glyph_index + dirBacktrack * backtrack_count;
> + if (k < 0 || k >= glyph_count)
> + continue;
> +
> input = (const GPOS_ChainContextPosFormat3_2 *)&backtrack->Coverage[backtrack_count];
> input_count = GET_BE_WORD(input->InputGlyphCount);
> + k = glyph_index + write_dir * (input_count - 1);
> + if (k < 0 || k >= glyph_count)
> + continue;
> +
> lookahead = (const GPOS_ChainContextPosFormat3_3 *)&input->Coverage[input_count];
> lookahead_count = GET_BE_WORD(lookahead->LookaheadGlyphCount);
> + k = glyph_index + dirLookahead * (input_count + lookahead_count - 1);
> + if (k < 0 || k >= glyph_count)
> + continue;
> +
> positioning = (const GPOS_ChainContextPosFormat3_4 *)&lookahead->Coverage[lookahead_count];
>
> for (k = 0; k < backtrack_count; ++k)
>
More information about the wine-patches
mailing list