Module: wine Branch: master Commit: 34a9400a89c4d1b8a46979432f3864e8065919fc URL: http://source.winehq.org/git/wine.git/?a=commit;h=34a9400a89c4d1b8a46979432f... Author: Henri Verbeet <hverbeet(a)codeweavers.com> Date: Mon Apr 17 20:26:56 2017 +0200 usp10: Validate positioning record sequence indices in GPOS_apply_ChainContextPos(). The issue is somewhat theoretical, since in reasonbale fonts the indices should always be valid, and in fact are fairly likely to be 0. On the other hand, web fonts exist. Signed-off-by: Henri Verbeet <hverbeet(a)codeweavers.com> Signed-off-by: Aric Stewart <aric(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- dlls/usp10/opentype.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c index a3346ef..f0417f1 100644 --- a/dlls/usp10/opentype.c +++ b/dlls/usp10/opentype.c @@ -2301,12 +2301,20 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache, for (k = 0; k < positioning_count; ++k) { - WORD lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex); - WORD sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex); + unsigned int g = glyph_index + write_dir * sequence_index; + + if (g >= glyph_count) + { + WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + } TRACE("Position: %u -> %u %u.\n", k, sequence_index, lookup_index); GPOS_apply_lookup(script_cache, otm, logfont, analysis, advance, lookup, lookup_index, - glyphs, glyph_index + sequence_index, glyph_count, goffset); + glyphs, g, glyph_count, goffset); } return input_count + lookahead_count; }