[PATCH 1/5] usp10: Validate positioning record sequence indices in GPOS_apply_ChainContextPos().

Aric Stewart aric at codeweavers.com
Tue Apr 18 06:59:16 CDT 2017


Signed-off-by: Aric Stewart <aric at codeweavers.com>


On 4/17/17 1:26 PM, Henri Verbeet wrote:
> The issue is somewhat theoretical, since in reasonbale fonts the indices
> should always be valid, and in fact are fairly likely to be 0. On the other
> hand, web fonts exist.
> 
> Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
> ---
>  dlls/usp10/opentype.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
> index a3346ef..f0417f1 100644
> --- a/dlls/usp10/opentype.c
> +++ b/dlls/usp10/opentype.c
> @@ -2301,12 +2301,20 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache,
>  
>              for (k = 0; k < positioning_count; ++k)
>              {
> -                WORD lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex);
> -                WORD sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex) * write_dir;
> +                unsigned int lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex);
> +                unsigned int sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex);
> +                unsigned int g = glyph_index + write_dir * sequence_index;
> +
> +                if (g >= glyph_count)
> +                {
> +                    WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n",
> +                            sequence_index, glyph_index, write_dir);
> +                    continue;
> +                }
>  
>                  TRACE("Position: %u -> %u %u.\n", k, sequence_index, lookup_index);
>                  GPOS_apply_lookup(script_cache, otm, logfont, analysis, advance, lookup, lookup_index,
> -                        glyphs, glyph_index + sequence_index, glyph_count, goffset);
> +                        glyphs, g, glyph_count, goffset);
>              }
>              return input_count + lookahead_count;
>          }
> 



More information about the wine-patches mailing list