From: समीर सिंह Sameer Singh <lumarzeli30@gmail.com> --- dlls/gdi32/uniscribe/opentype.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/dlls/gdi32/uniscribe/opentype.c b/dlls/gdi32/uniscribe/opentype.c index 07fdc53d284..ae4ab322c65 100644 --- a/dlls/gdi32/uniscribe/opentype.c +++ b/dlls/gdi32/uniscribe/opentype.c @@ -2109,6 +2109,7 @@ static BOOL GPOS_apply_MarkToMark(const OT_LookupTable *look, const SCRIPT_ANALY int mark_class; int class_count = GET_BE_WORD(mmpf1->ClassCount); int mark2record_size; + int mark2_offset; POINT mark2_pt; POINT mark_pt; TRACE("Mark %x(%i) and Mark2 %x(%i)\n",glyphs[glyph_index], mark_index, glyphs[glyph_index - write_dir], mark2_index); @@ -2135,7 +2136,18 @@ static BOOL GPOS_apply_MarkToMark(const OT_LookupTable *look, const SCRIPT_ANALY return FALSE; } mark2record_size = class_count * sizeof(WORD); - m2r = (const GPOS_Mark2Record*)((const BYTE*)m2a + sizeof(WORD) + (mark2record_size * mark2_index)); + if (mark2_index > 0 && mark2record_size > INT_MAX / mark2_index) + { + ERR("Integer overflow in mark2 record size\n"); + return FALSE; + } + mark2_offset = mark2record_size * mark2_index; + if (mark2_offset > INT_MAX - sizeof(WORD)) + { + ERR("Integer overflow in mark2 record size\n"); + return FALSE; + } + m2r = (const GPOS_Mark2Record*)((const BYTE*)m2a + sizeof(WORD) + mark2_offset); offset = GET_BE_WORD(m2r->Mark2Anchor[mark_class]); GPOS_get_anchor_values((const BYTE*)m2a + offset, &mark2_pt, ppem); offset = GET_BE_WORD(mr->MarkAnchor); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10859