Module: wine Branch: master Commit: 30e8768d00fb3a93f2c4cb5ca5773f2ab78bb396 URL: http://source.winehq.org/git/wine.git/?a=commit;h=30e8768d00fb3a93f2c4cb5ca5...
Author: Henri Verbeet hverbeet@codeweavers.com Date: Fri Apr 21 00:57:14 2017 +0200
usp10: Validate substition record sequence indices in GSUB_apply_ContextSubst().
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com Signed-off-by: Aric Stewart aric@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/usp10/opentype.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c index 307b6a9..0351f4f 100644 --- a/dlls/usp10/opentype.c +++ b/dlls/usp10/opentype.c @@ -1125,11 +1125,19 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
for (l = 0; l < GET_BE_WORD(sr->SubstCount); l++) { - int lookupIndex = GET_BE_WORD(sr_2->SubstLookupRecord[l].LookupListIndex); - int SequenceIndex = GET_BE_WORD(sr_2->SubstLookupRecord[l].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(sr_2->SubstLookupRecord[l].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(sr_2->SubstLookupRecord[l].SequenceIndex);
- TRACE(" SUBST: %i -> %i %i\n",l, SequenceIndex, lookupIndex); - newIndex = GSUB_apply_lookup(lookup, lookupIndex, glyphs, glyph_index + SequenceIndex, write_dir, glyph_count); + g = glyph_index + write_dir * sequence_index; + if (g >= *glyph_count) + { + WARN("Invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + } + + TRACE(" SUBST: %u -> %u %u.\n", l, sequence_index, lookup_index); + newIndex = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count); if (newIndex == GSUB_E_NOGLYPH) { ERR(" Chain failed to generate a glyph\n"); @@ -1204,11 +1212,19 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
for (l = 0; l < GET_BE_WORD(sr->SubstCount); l++) { - int lookupIndex = GET_BE_WORD(sr_2->SubstLookupRecord[l].LookupListIndex); - int SequenceIndex = GET_BE_WORD(sr_2->SubstLookupRecord[l].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(sr_2->SubstLookupRecord[l].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(sr_2->SubstLookupRecord[l].SequenceIndex); + + g = glyph_index + write_dir * sequence_index; + if (g >= *glyph_count) + { + WARN("Invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + }
- TRACE(" SUBST: %i -> %i %i\n",l, SequenceIndex, lookupIndex); - newIndex = GSUB_apply_lookup(lookup, lookupIndex, glyphs, glyph_index + SequenceIndex, write_dir, glyph_count); + TRACE(" SUBST: %u -> %u %u.\n", l, sequence_index, lookup_index); + newIndex = GSUB_apply_lookup(lookup, lookup_index, glyphs, g, write_dir, glyph_count); if (newIndex == GSUB_E_NOGLYPH) { ERR(" Chain failed to generate a glyph\n");