[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Fri Nov 16 07:03:47 UTC 2018 

 src/hb-ot-hdmx-table.hh |   25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

New commits:
commit cb4bf85b14afb3761a85e3da130f2844ac94a49d
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Fri Nov 16 02:02:24 2018 -0500

    [hdmx] Fix bounds checking
    
    Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351

diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh
index 2eed85c0..0fea24bc 100644
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@@ -66,12 +66,9 @@ struct DeviceRecord
       if (unlikely (i >= len ())) return nullptr;
       hb_codepoint_t gid = this->subset_plan->glyphs [i];
 
-      const HBUINT8* width = &(this->source_device_record->widthsZ[gid]);
-
-      if (width < ((const HBUINT8 *) this->source_device_record) + sizeDeviceRecord)
-	return width;
-      else
-	return nullptr;
+      if (gid >= sizeDeviceRecord - DeviceRecord::min_size)
+        return nullptr;
+      return &(this->source_device_record->widthsZ[gid]);
     }
   };
 
@@ -135,6 +132,8 @@ struct hdmx
 
   inline const DeviceRecord& operator [] (unsigned int i) const
   {
+    /* XXX Null(DeviceRecord) is NOT safe as it's num-glyphs lengthed.
+     * https://github.com/harfbuzz/harfbuzz/issues/1300 */
     if (unlikely (i >= numRecords)) return Null (DeviceRecord);
     return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord);
   }
commit af727b4e629f8b07d7afb809be69d053827f6a51
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Fri Nov 16 01:55:39 2018 -0500

    [hdmx] Minor

diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh
index 9cfce68a..2eed85c0 100644
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@@ -136,7 +136,7 @@ struct hdmx
   inline const DeviceRecord& operator [] (unsigned int i) const
   {
     if (unlikely (i >= numRecords)) return Null (DeviceRecord);
-    return StructAtOffset<DeviceRecord> (&this->dataZ, i * sizeDeviceRecord);
+    return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord);
   }
 
   inline bool serialize (hb_serialize_context_t *c, const hdmx *source_hdmx, hb_subset_plan_t *plan)
@@ -200,19 +200,19 @@ struct hdmx
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (c->check_struct (this) && version == 0 &&
+    return_trace (c->check_struct (this) &&
 		  !hb_unsigned_mul_overflows (numRecords, sizeDeviceRecord) &&
 		  sizeDeviceRecord >= DeviceRecord::min_size &&
 		  c->check_range (this, get_size ()));
   }
 
   protected:
-  HBUINT16			version;		/* Table version number (0) */
-  HBUINT16			numRecords;		/* Number of device records. */
-  HBUINT32			sizeDeviceRecord;	/* Size of a device record, 32-bit aligned. */
-  UnsizedArrayOf<HBUINT8>	dataZ;			/* Array of device records. */
+  HBUINT16		version;		/* Table version number (0) */
+  HBUINT16		numRecords;		/* Number of device records. */
+  HBUINT32		sizeDeviceRecord;	/* Size of a device record, 32-bit aligned. */
+  DeviceRecord		firstDeviceRecord;	/* Array of device records. */
   public:
-  DEFINE_SIZE_ARRAY (8, dataZ);
+  DEFINE_SIZE_MIN (8);
 };
 
 } /* namespace OT */

More information about the HarfBuzz mailing list