Module: wine Branch: master Commit: 34a9400a89c4d1b8a46979432f3864e8065919fc URL: http://source.winehq.org/git/wine.git/?a=commit;h=34a9400a89c4d1b8a46979432f...

Author: Henri Verbeet hverbeet@codeweavers.com Date: Mon Apr 17 20:26:56 2017 +0200

usp10: Validate positioning record sequence indices in GPOS_apply_ChainContextPos().

The issue is somewhat theoretical, since in reasonbale fonts the indices should always be valid, and in fact are fairly likely to be 0. On the other hand, web fonts exist.

Signed-off-by: Henri Verbeet hverbeet@codeweavers.com Signed-off-by: Aric Stewart aric@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org

---

dlls/usp10/opentype.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c index a3346ef..f0417f1 100644 --- a/dlls/usp10/opentype.c +++ b/dlls/usp10/opentype.c @@ -2301,12 +2301,20 @@ static unsigned int GPOS_apply_ChainContextPos(const ScriptCache *script_cache,

for (k = 0; k < positioning_count; ++k) { - WORD lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex); - WORD sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex) * write_dir; + unsigned int lookup_index = GET_BE_WORD(positioning->PosLookupRecord[k].LookupListIndex); + unsigned int sequence_index = GET_BE_WORD(positioning->PosLookupRecord[k].SequenceIndex); + unsigned int g = glyph_index + write_dir * sequence_index; + + if (g >= glyph_count) + { + WARN("Skipping invalid sequence index %u (glyph index %u, write dir %d).\n", + sequence_index, glyph_index, write_dir); + continue; + }

TRACE("Position: %u -> %u %u.\n", k, sequence_index, lookup_index); GPOS_apply_lookup(script_cache, otm, logfont, analysis, advance, lookup, lookup_index, - glyphs, glyph_index + sequence_index, glyph_count, goffset); + glyphs, g, glyph_count, goffset); } return input_count + lookahead_count; }