Nikolay Sivov (@nsivov) commented about dlls/win32u/font.c:
+ else + { + OT_ClassDefFormat2 *cf2 = (OT_ClassDefFormat2 *)cf1; + int i, top = GET_BE_WORD(cf2->ClassRangeCount); + for (i = 0; i < top; i++) + { + if (glyph >= GET_BE_WORD(cf2->ClassRangeRecord[i].Start) && + glyph <= GET_BE_WORD(cf2->ClassRangeRecord[i].End)) + { + class = GET_BE_WORD(cf2->ClassRangeRecord[i].Class); + break; + } + } + } + return class; +} This does not do any validation regarding reading past the end of the table. Also format 2 should be using binary search, and not a loop.
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/3876#note_47689