From: समीर सिंह Sameer Singh <lumarzeli30@gmail.com> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=59680 --- dlls/gdi32/uniscribe/opentype.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/dlls/gdi32/uniscribe/opentype.c b/dlls/gdi32/uniscribe/opentype.c index b2a72b8c3ff..b4eadb6ca44 100644 --- a/dlls/gdi32/uniscribe/opentype.c +++ b/dlls/gdi32/uniscribe/opentype.c @@ -2080,6 +2080,13 @@ static BOOL GPOS_apply_MarkToMark(const OT_LookupTable *look, const SCRIPT_ANALY TRACE("MarkToMark Attachment Positioning Subtable\n"); + if ((write_dir == 1 && glyph_index == 0) || + (write_dir == -1 && glyph_index + 1 == glyph_count)) + { + ERR("Out of bounds access in glyphs array\n"); + return FALSE; + } + for (j = 0; j < GET_BE_WORD(look->SubTableCount); j++) { const GPOS_MarkMarkPosFormat1 *mmpf1 = (const GPOS_MarkMarkPosFormat1 *)GPOS_get_subtable(look, j); @@ -2115,8 +2122,18 @@ static BOOL GPOS_apply_MarkToMark(const OT_LookupTable *look, const SCRIPT_ANALY mr = &ma->MarkRecord[mark_index]; mark_class = GET_BE_WORD(mr->Class); TRACE("Mark Class %i total classes %i\n",mark_class,class_count); + if (mark_class >= class_count) + { + ERR("Mark class exceeded total classes\n"); + return FALSE; + } offset = GET_BE_WORD(mmpf1->Mark2Array); m2a = (const GPOS_Mark2Array*)((const BYTE*)mmpf1 + offset); + if (mark2_index >= GET_BE_WORD(m2a->Mark2Count)) + { + ERR("Mark2 index exceeded mark2 count\n"); + return FALSE; + } mark2record_size = class_count * sizeof(WORD); m2r = (const GPOS_Mark2Record*)((const BYTE*)m2a + sizeof(WORD) + (mark2record_size * mark2_index)); offset = GET_BE_WORD(m2r->Mark2Anchor[mark_class]); -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10859