[HarfBuzz] 'head' table issue
Jonathan Kew
jonathan at jfkew.plus.com
Mon Aug 16 07:30:14 PDT 2010
Hi Behdad,
I think there's an issue with how the 'head' table is handled in harfbuzz-ng at the moment.
hb_face_create_for_tables() loads the 'head' table and calls Sanitizer<head>::sanitize() on it. However, if sanitize() fails, the table gets replaced by the empty blob, which means that face->head_table does not point to a valid 'head' structure, and in particular, when GPOS code tries to use the unitsPerEm value to scale coordinates, it is accessing "random" memory.
So it seems to me that hb_face_create_for_tables() needs to check that the 'head' table was successfully loaded, *and* has a usable (non-zero, at least) unitsPerEm value. But as that's the only field we care about, we could let hb_face_create_for_tables() store the unitsPerEm value directly into the face (checking that it is within the valid range), and then release the table; there's no need to hold on to the blob after initial creation of the face.
Suggested patch attached.
JK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug-580719-hb-head-sanitize.patch
Type: application/octet-stream
Size: 4786 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/harfbuzz/attachments/20100816/cb162770/attachment.obj>
-------------- next part --------------
More information about the HarfBuzz
mailing list