[PATCH 2/5] usp10: Validate substition record sequence indices in GSUB_apply_ChainContextSubst().

Aric Stewart aric at codeweavers.com
Tue Apr 18 06:59:22 CDT 2017


Signed-off-by: Aric Stewart <aric at codeweavers.com>

On 4/17/17 1:26 PM, Henri Verbeet wrote:
> Signed-off-by: Henri Verbeet <hverbeet at codeweavers.com>
> ---
>  dlls/usp10/opentype.c | 30 ++++++++++++++++++++++--------
>  1 file changed, 22 insertions(+), 8 deletions(-)
> 
> diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
> index f0417f1..2cca0cb 100644
> --- a/dlls/usp10/opentype.c
> +++ b/dlls/usp10/opentype.c
> @@ -1346,12 +1346,19 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo
>                  substitute_count = GET_BE_WORD(substitute->SubstCount);
>                  for (k = 0; k < substitute_count; ++k)
>                  {
> -                    WORD lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex);
> -                    WORD sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex) * write_dir;
> +                    unsigned int lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex);
> +                    unsigned int sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex);
> +                    unsigned int g = glyph_index + write_dir * sequence_index;
> +
> +                    if (g >= *glyph_count)
> +                    {
> +                        WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n",
> +                                sequence_index, glyph_index, write_dir);
> +                        continue;
> +                    }
>  
>                      TRACE("SUBST: %u -> %u %u.\n", k, sequence_index, lookup_index);
> -                    new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs,
> -                            glyph_index + sequence_index, write_dir, glyph_count);
> +                    new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count);
>                      if (new_index == GSUB_E_NOGLYPH)
>                          ERR("Chain failed to generate a glyph.\n");
>                  }
> @@ -1426,12 +1433,19 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo
>              substitution_count = GET_BE_WORD(substitute->SubstCount);
>              for (k = 0; k < substitution_count; ++k)
>              {
> -                WORD lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex);
> -                WORD sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex) * write_dir;
> +                unsigned int lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex);
> +                unsigned int sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex);
> +                unsigned int g = glyph_index + write_dir * sequence_index;
> +
> +                if (g >= *glyph_count)
> +                {
> +                    WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n",
> +                            sequence_index, glyph_index, write_dir);
> +                    continue;
> +                }
>  
>                  TRACE("SUBST: %u -> %u %u.\n", k, sequence_index, lookup_index);
> -                new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs,
> -                        glyph_index + sequence_index, write_dir, glyph_count);
> +                new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count);
>                  if (new_index == GSUB_E_NOGLYPH)
>                      ERR("Chain failed to generate a glyph.\n");
>              }
> 



More information about the wine-patches mailing list