[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Tue Oct 16 23:26:27 UTC 2018 

 dev/null                       |binary
 src/hb-ot-layout-gpos-table.hh |   14 ++++++++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

New commits:
commit 49c041f7c5b135cbcbd1663e18047afd54fc948b
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Tue Oct 16 16:25:24 2018 -0700

    Minor

diff --git a/test/fuzzing/clusterfuzz-testcase-6107935408390144 b/test/fuzzing/clusterfuzz-testcase-6107935408390144
deleted file mode 100644
index 4c81a866..00000000
Binary files a/test/fuzzing/clusterfuzz-testcase-6107935408390144 and /dev/null differ
commit 36f38ea7033b4e52c6cd94a8a0d686a95c0cc148
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Tue Oct 16 16:24:03 2018 -0700

    [gpos] Protect mark attachment against out-of-bounds
    
    Not sure how can happen, but does...

diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index 8b20c150..4f81b327 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -1658,7 +1658,10 @@ reverse_cursive_minor_offset (hb_glyph_position_t *pos, unsigned int i, hb_direc
   pos[j].attach_type() = type;
 }
 static void
-propagate_attachment_offsets (hb_glyph_position_t *pos, unsigned int i, hb_direction_t direction)
+propagate_attachment_offsets (hb_glyph_position_t *pos,
+			      unsigned int len,
+			      unsigned int i,
+			      hb_direction_t direction)
 {
   /* Adjusts offsets of attached glyphs (both cursive and mark) to accumulate
    * offset of glyph they are attached to. */
@@ -1666,11 +1669,14 @@ propagate_attachment_offsets (hb_glyph_position_t *pos, unsigned int i, hb_direc
   if (likely (!chain))
     return;
 
+  pos[i].attach_chain() = 0;
+
   unsigned int j = (int) i + chain;
 
-  pos[i].attach_chain() = 0;
+  if (unlikely (j >= len))
+    return;
 
-  propagate_attachment_offsets (pos, j, direction);
+  propagate_attachment_offsets (pos, len, j, direction);
 
   assert (!!(type & ATTACH_TYPE_MARK) ^ !!(type & ATTACH_TYPE_CURSIVE));
 
@@ -1726,7 +1732,7 @@ GPOS::position_finish_offsets (hb_font_t *font HB_UNUSED, hb_buffer_t *buffer)
   /* Handle attachments */
   if (buffer->scratch_flags & HB_BUFFER_SCRATCH_FLAG_HAS_GPOS_ATTACHMENT)
     for (unsigned int i = 0; i < len; i++)
-      propagate_attachment_offsets (pos, i, direction);
+      propagate_attachment_offsets (pos, len, i, direction);
 }

More information about the HarfBuzz mailing list