src/hb-ot-hdmx-table.hh | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-)
New commits: commit cb4bf85b14afb3761a85e3da130f2844ac94a49d Author: Behdad Esfahbod <[email protected]> Date: Fri Nov 16 02:02:24 2018 -0500 [hdmx] Fix bounds checking Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351 diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh index 2eed85c0..0fea24bc 100644 --- a/src/hb-ot-hdmx-table.hh +++ b/src/hb-ot-hdmx-table.hh @@ -66,12 +66,9 @@ struct DeviceRecord if (unlikely (i >= len ())) return nullptr; hb_codepoint_t gid = this->subset_plan->glyphs [i]; - const HBUINT8* width = &(this->source_device_record->widthsZ[gid]); - - if (width < ((const HBUINT8 *) this->source_device_record) + sizeDeviceRecord) - return width; - else - return nullptr; + if (gid >= sizeDeviceRecord - DeviceRecord::min_size) + return nullptr; + return &(this->source_device_record->widthsZ[gid]); } }; @@ -135,6 +132,8 @@ struct hdmx inline const DeviceRecord& operator [] (unsigned int i) const { + /* XXX Null(DeviceRecord) is NOT safe as it's num-glyphs lengthed. + * https://github.com/harfbuzz/harfbuzz/issues/1300 */ if (unlikely (i >= numRecords)) return Null (DeviceRecord); return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord); } commit af727b4e629f8b07d7afb809be69d053827f6a51 Author: Behdad Esfahbod <[email protected]> Date: Fri Nov 16 01:55:39 2018 -0500 [hdmx] Minor diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh index 9cfce68a..2eed85c0 100644 --- a/src/hb-ot-hdmx-table.hh +++ b/src/hb-ot-hdmx-table.hh @@ -136,7 +136,7 @@ struct hdmx inline const DeviceRecord& operator [] (unsigned int i) const { if (unlikely (i >= numRecords)) return Null (DeviceRecord); - return StructAtOffset<DeviceRecord> (&this->dataZ, i * sizeDeviceRecord); + return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord); } inline bool serialize (hb_serialize_context_t *c, const hdmx *source_hdmx, hb_subset_plan_t *plan) @@ -200,19 +200,19 @@ struct hdmx inline bool sanitize (hb_sanitize_context_t *c) const { TRACE_SANITIZE (this); - return_trace (c->check_struct (this) && version == 0 && + return_trace (c->check_struct (this) && !hb_unsigned_mul_overflows (numRecords, sizeDeviceRecord) && sizeDeviceRecord >= DeviceRecord::min_size && c->check_range (this, get_size ())); } protected: - HBUINT16 version; /* Table version number (0) */ - HBUINT16 numRecords; /* Number of device records. */ - HBUINT32 sizeDeviceRecord; /* Size of a device record, 32-bit aligned. */ - UnsizedArrayOf<HBUINT8> dataZ; /* Array of device records. */ + HBUINT16 version; /* Table version number (0) */ + HBUINT16 numRecords; /* Number of device records. */ + HBUINT32 sizeDeviceRecord; /* Size of a device record, 32-bit aligned. */ + DeviceRecord firstDeviceRecord; /* Array of device records. */ public: - DEFINE_SIZE_ARRAY (8, dataZ); + DEFINE_SIZE_MIN (8); }; } /* namespace OT */ _______________________________________________ HarfBuzz mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/harfbuzz
