Module: wine Branch: master Commit: d1ca880ec45cfccf929ea1545840537ce25eeebf URL: http://source.winehq.org/git/wine.git/?a=commit;h=d1ca880ec45cfccf929ea15458... Author: Henri Verbeet <hverbeet(a)codeweavers.com> Date: Mon Apr 17 20:26:57 2017 +0200 usp10: Validate substition record sequence indices in GSUB_apply_ChainContextSubst(). Signed-off-by: Henri Verbeet <hverbeet(a)codeweavers.com> Signed-off-by: Aric Stewart <aric(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- dlls/usp10/opentype.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c index f0417f1..2cca0cb 100644 --- a/dlls/usp10/opentype.c +++ b/dlls/usp10/opentype.c @@ -1346,12 +1346,19 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo substitute_count = GET_BE_WORD(substitute->SubstCount); for (k = 0; k < substitute_count; ++k) { - WORD lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex); - WORD sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex); + unsigned int g = glyph_index + write_dir * sequence_index; + + if (g >= *glyph_count) + { + WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + } TRACE("SUBST: %u -> %u %u.\n", k, sequence_index, lookup_index); - new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, - glyph_index + sequence_index, write_dir, glyph_count); + new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count); if (new_index == GSUB_E_NOGLYPH) ERR("Chain failed to generate a glyph.\n"); } @@ -1426,12 +1433,19 @@ static INT GSUB_apply_ChainContextSubst(const OT_LookupList* lookup, const OT_Lo substitution_count = GET_BE_WORD(substitute->SubstCount); for (k = 0; k < substitution_count; ++k) { - WORD lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex); - WORD sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(substitute->SubstLookupRecord[k].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(substitute->SubstLookupRecord[k].SequenceIndex); + unsigned int g = glyph_index + write_dir * sequence_index; + + if (g >= *glyph_count) + { + WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + } TRACE("SUBST: %u -> %u %u.\n", k, sequence_index, lookup_index); - new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, - glyph_index + sequence_index, write_dir, glyph_count); + new_index = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count); if (new_index == GSUB_E_NOGLYPH) ERR("Chain failed to generate a glyph.\n"); }