[HarfBuzz] harfbuzz: Branch 'master'
Behdad Esfahbod
behdad at kemper.freedesktop.org
Mon Mar 2 03:47:45 PST 2009
src/harfbuzz-gpos.c | 22 ++++++++++++++++++----
src/harfbuzz-gsub.c | 6 ++++++
2 files changed, 24 insertions(+), 4 deletions(-)
New commits:
commit cb83c38045a7dd098f8edd4530d328e999a7bbaf
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Mon Mar 2 15:17:24 2009 +0330
Protect against illegal access of arrays of length zero
diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c
index fbd1c0d..1ac3779 100644
--- a/src/harfbuzz-gpos.c
+++ b/src/harfbuzz-gpos.c
@@ -2064,9 +2064,13 @@ static void Free_BaseArray( HB_BaseArray* ba,
if ( ba->BaseRecord )
{
br = ba->BaseRecord;
- bans = br[0].BaseAnchor;
- FREE( bans );
+ if ( ba->BaseCount )
+ {
+ bans = br[0].BaseAnchor;
+ FREE( bans );
+ }
+
FREE( br );
}
}
@@ -2795,9 +2799,13 @@ static void Free_Mark2Array( HB_Mark2Array* m2a,
if ( m2a->Mark2Record )
{
m2r = m2a->Mark2Record;
- m2ans = m2r[0].Mark2Anchor;
- FREE( m2ans );
+ if ( m2a->Mark2Count )
+ {
+ m2ans = m2r[0].Mark2Anchor;
+ FREE( m2ans );
+ }
+
FREE( m2r );
}
}
@@ -3841,6 +3849,9 @@ static HB_Error Lookup_ContextPos2( GPOS_Instance* gpi,
if ( error )
return error;
+ if (cpf2->MaxContextLength < 1)
+ return HB_Err_Not_Covered;
+
if ( ALLOC_ARRAY( classes, cpf2->MaxContextLength, HB_UShort ) )
return error;
@@ -5123,6 +5134,9 @@ static HB_Error Lookup_ChainContextPos2(
return error;
known_backtrack_classes = 0;
+ if (ccpf2->MaxInputLength < 1)
+ return HB_Err_Not_Covered;
+
if ( ALLOC_ARRAY( input_classes, ccpf2->MaxInputLength, HB_UShort ) )
goto End3;
known_input_classes = 1;
diff --git a/src/harfbuzz-gsub.c b/src/harfbuzz-gsub.c
index 5f08040..21fec51 100644
--- a/src/harfbuzz-gsub.c
+++ b/src/harfbuzz-gsub.c
@@ -1896,6 +1896,9 @@ static HB_Error Lookup_ContextSubst2( HB_GSUBHeader* gsub,
if ( error )
return error;
+ if (csf2->MaxContextLength < 1)
+ return HB_Err_Not_Covered;
+
if ( ALLOC_ARRAY( classes, csf2->MaxContextLength, HB_UShort ) )
return error;
@@ -3159,6 +3162,9 @@ static HB_Error Lookup_ChainContextSubst2( HB_GSUBHeader* gsub,
return error;
known_backtrack_classes = 0;
+ if (ccsf2->MaxInputLength < 1)
+ return HB_Err_Not_Covered;
+
if ( ALLOC_ARRAY( input_classes, ccsf2->MaxInputLength, HB_UShort ) )
goto End3;
known_input_classes = 1;
More information about the HarfBuzz
mailing list