Module: wine Branch: master Commit: 7dfe9b9c94e5c57a2b6c0b1252e72b78a17a678d URL: http://source.winehq.org/git/wine.git/?a=commit;h=7dfe9b9c94e5c57a2b6c0b1252... Author: Henri Verbeet <hverbeet(a)codeweavers.com> Date: Wed Apr 5 10:21:28 2017 +0200 usp10: Range check glyph counts in GPOS_apply_ChainContextPos(). I.e., avoid accessing outside the "glyphs" array. If we're particularly unlucky we may actually get a match against data outside the array. Signed-off-by: Henri Verbeet <hverbeet(a)codeweavers.com> Signed-off-by: Aric Stewart <aric(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- dlls/usp10/opentype.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c index b5ee5d1..9c1d596 100644 --- a/dlls/usp10/opentype.c +++ b/dlls/usp10/opentype.c @@ -2235,10 +2235,22 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache, TRACE(" subtype 3 (Coverage-based Chaining Context Glyph Positioning)\n"); backtrack_count = GET_BE_WORD(backtrack->BacktrackGlyphCount); + k = glyph_index + dirBacktrack * backtrack_count; + if (k < 0 || k >= glyph_count) + continue; + input = (const GPOS_ChainContextPosFormat3_2 *)&backtrack->Coverage[backtrack_count]; input_count = GET_BE_WORD(input->InputGlyphCount); + k = glyph_index + write_dir * (input_count - 1); + if (k < 0 || k >= glyph_count) + continue; + lookahead = (const GPOS_ChainContextPosFormat3_3 *)&input->Coverage[input_count]; lookahead_count = GET_BE_WORD(lookahead->LookaheadGlyphCount); + k = glyph_index + dirLookahead * (input_count + lookahead_count - 1); + if (k < 0 || k >= glyph_count) + continue; + positioning = (const GPOS_ChainContextPosFormat3_4 *)&lookahead->Coverage[lookahead_count]; for (k = 0; k < backtrack_count; ++k)