[HarfBuzz] harfbuzz: Branch 'master'
Behdad Esfahbod
behdad at kemper.freedesktop.org
Sat Jun 23 14:34:18 UTC 2018
src/hb-ot-layout-common-private.hh | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
New commits:
commit b2a187918757a0faaf0f564ec2b0766c09fa364c
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Sat Jun 23 10:32:28 2018 -0400
In Coverage iterator, bail out if table smells
In particular, if CoverageFormat2 has unsorted ranges, bail out.
Otherwise, 64k ranges of each 64k glyphs can DoS closure() method.
We can do the same for CoverageFormat1, but that one does not expose
the quadratic behavior, so, fine.
diff --git a/src/hb-ot-layout-common-private.hh b/src/hb-ot-layout-common-private.hh
index 763ea92f..ff9c5650 100644
--- a/src/hb-ot-layout-common-private.hh
+++ b/src/hb-ot-layout-common-private.hh
@@ -832,7 +832,12 @@ struct CoverageFormat2
c = &c_;
coverage = 0;
i = 0;
- j = c->rangeRecord.len ? c_.rangeRecord[0].start : 0;
+ j = c->rangeRecord.len ? c->rangeRecord[0].start : 0;
+ if (unlikely (c->rangeRecord[0].start > c->rangeRecord[0].end))
+ {
+ /* Broken table. Skip. */
+ i = c->rangeRecord.len;
+ }
}
inline bool more (void) { return i < c->rangeRecord.len; }
inline void next (void)
@@ -842,7 +847,14 @@ struct CoverageFormat2
i++;
if (more ())
{
+ hb_codepoint_t old = j;
j = c->rangeRecord[i].start;
+ if (unlikely (j <= old))
+ {
+ /* Broken table. Skip. Important to avoid DoS. */
+ i = c->rangeRecord.len;
+ return;
+ }
coverage = c->rangeRecord[i].value;
}
return;
@@ -855,7 +867,8 @@ struct CoverageFormat2
private:
const struct CoverageFormat2 *c;
- unsigned int i, j, coverage;
+ unsigned int i, coverage;
+ hb_codepoint_t j;
};
private:
More information about the HarfBuzz
mailing list