[PATCH v2 0/1] MR10868: gdi32/uniscribe: Add some out-of-bound checks in shape.c.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=59680 -- v2: gdi32/uniscribe: Add some out-of-bound checks in shape.c. https://gitlab.winehq.org/wine/wine/-/merge_requests/10868
From: समीर सिंह Sameer Singh <lumarzeli30@gmail.com> Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=59680 --- dlls/gdi32/uniscribe/shape.c | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/dlls/gdi32/uniscribe/shape.c b/dlls/gdi32/uniscribe/shape.c index baee7e3ec6e..67ed164e549 100644 --- a/dlls/gdi32/uniscribe/shape.c +++ b/dlls/gdi32/uniscribe/shape.c @@ -3032,11 +3032,14 @@ static void ShapeCharGlyphProp_Arabic( HDC hdc, ScriptCache *psc, SCRIPT_ANALYSI if (k>=0) { for (; k < cChars && pwLogClust[k] == i; k++) - char_index[char_count++] = k; + if (char_count < ARRAY_SIZE(char_index)) + char_index[char_count++] = k; + else + WARN("char_index overflow at glyph %d, dropping character %d\n", i, k); } - isInit = (i == initGlyph || (i+dirR > 0 && i+dirR < cGlyphs && spaces[i+dirR])); - isFinal = (i == finaGlyph || (i+dirL > 0 && i+dirL < cGlyphs && spaces[i+dirL])); + isInit = (i == initGlyph || ((unsigned int)i+dirR < (unsigned int)cGlyphs && spaces[i+dirR])); + isFinal = (i == finaGlyph || ((unsigned int)i+dirL < (unsigned int)cGlyphs && spaces[i+dirL])); if (char_count == 0) continue; @@ -3110,7 +3113,10 @@ static void ShapeCharGlyphProp_Hebrew( HDC hdc, ScriptCache *psc, SCRIPT_ANALYSI if (k>=0) { for (; k < cChars && pwLogClust[k] == i; k++) - char_index[char_count++] = k; + if (char_count < ARRAY_SIZE(char_index)) + char_index[char_count++] = k; + else + WARN("char_index overflow at glyph %d, dropping character %d\n", i, k); } if (char_count == 0) @@ -3156,7 +3162,10 @@ static void ShapeCharGlyphProp_Thai( HDC hdc, ScriptCache *psc, SCRIPT_ANALYSIS if (k>=0) { for (; k < cChars && pwLogClust[k] == i; k++) - char_index[char_count++] = k; + if (char_count < ARRAY_SIZE(char_index)) + char_index[char_count++] = k; + else + WARN("char_index overflow at glyph %d, dropping character %d\n", i, k); } if (i == finaGlyph) @@ -3181,7 +3190,11 @@ static void ShapeCharGlyphProp_Thai( HDC hdc, ScriptCache *psc, SCRIPT_ANALYSIS for (i = 0; i < cGlyphs; i++) { if (!pGlyphProp[i].sva.fClusterStart) - pGlyphProp[i-dirL].sva.uJustification = SCRIPT_JUSTIFY_NONE; + { + unsigned int neighbour = i-dirL; + if (neighbour < (unsigned int)cGlyphs) + pGlyphProp[neighbour].sva.uJustification = SCRIPT_JUSTIFY_NONE; + } } } @@ -3229,7 +3242,10 @@ static void ShapeCharGlyphProp_Tibet( HDC hdc, ScriptCache* psc, SCRIPT_ANALYSIS if (k>=0) { for (; k < cChars && pwLogClust[k] == i; k++) - char_index[char_count++] = k; + if (char_count < ARRAY_SIZE(char_index)) + char_index[char_count++] = k; + else + WARN("char_index overflow at glyph %d, dropping character %d\n", i, k); } if (char_count == 0) @@ -3271,7 +3287,10 @@ static void ShapeCharGlyphProp_BaseIndic( HDC hdc, ScriptCache *psc, SCRIPT_ANAL if (k>=0) { for (; k < cChars && pwLogClust[k] == i; k++) - char_index[char_count++] = k; + if (char_count < ARRAY_SIZE(char_index)) + char_index[char_count++] = k; + else + WARN("char_index overflow at glyph %d, dropping character %d\n", i, k); } if (override_gsub) -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/10868
participants (1)
-
समीर सिंह Sameer Singh -
समीरसिंह Sameer Singh (@ss141309)