Henri Verbeet : usp10: Range check glyph counts in GSUB_apply_ContextSubst (). - wine-commits

21 Apr 2017

Module: wine
Branch: master
Commit: 6c13170b9512877a07cb6d7f7b6afcda021cb153
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=6c13170b9512877a07cb6d7f7b...
Author: Henri Verbeet hverbeet@codeweavers.com
Date:   Fri Apr 21 00:57:12 2017 +0200
usp10: Range check glyph counts in GSUB_apply_ContextSubst().
Signed-off-by: Henri Verbeet hverbeet@codeweavers.com
Signed-off-by: Aric Stewart aric@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/usp10/opentype.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/dlls/usp10/opentype.c b/dlls/usp10/opentype.c
index d2e0fc5..f01839b 100644
--- a/dlls/usp10/opentype.c
+++ b/dlls/usp10/opentype.c
@@ -1098,6 +1098,7 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
                 {
                     const GSUB_SubRule_1 *sr;
                     const GSUB_SubRule_2 *sr_2;
+                    unsigned int g;
                     int g_count, l;
                     int newIndex = glyph_index;
@@ -1105,6 +1106,11 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
                     sr = (const GSUB_SubRule_1*)((const BYTE*)srs+offset);
                     g_count = GET_BE_WORD(sr->GlyphCount);
                     TRACE("   SubRule has %i glyphs\n",g_count);
+
+                    g = glyph_index + write_dir * (g_count - 1);
+                    if (g >= *glyph_count)
+                        continue;
+
                     for (l = 0; l < g_count-1; l++)
                         if (glyphs[glyph_index + (write_dir * (l+1))] != GET_BE_WORD(sr->Input[l])) break;
@@ -1169,6 +1175,7 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
                 {
                     const GSUB_SubClassRule_1 *sr;
                     const GSUB_SubClassRule_2 *sr_2;
+                    unsigned int g;
                     int g_count, l;
                     int newIndex = glyph_index;
@@ -1176,6 +1183,11 @@ static INT GSUB_apply_ContextSubst(const OT_LookupList* lookup, const OT_LookupT
                     sr = (const GSUB_SubClassRule_1*)((const BYTE*)scs+offset);
                     g_count = GET_BE_WORD(sr->GlyphCount);
                     TRACE("   SubClassRule has %i glyphs classes\n",g_count);
+
+                    g = glyph_index + write_dir * (g_count - 1);
+                    if (g >= *glyph_count)
+                        continue;
+
                     for (l = 0; l < g_count-1; l++)
                     {
                         int g_class = OT_get_glyph_class(glyph_class_table, glyphs[glyph_index + (write_dir * (l+1))]);

    