diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2009-08-12 15:40:04 -0400 |
---|---|---|
committer | Behdad Esfahbod <behdad@behdad.org> | 2009-08-12 15:40:04 -0400 |
commit | ebdcfbeb5aeb3e827326844f2f942570e503e26a (patch) | |
tree | 9bfcdf5149e4321e9e9e5966efa0a3293115ebab | |
parent | 6b7265c4d6fab1181d0453a845b67ab53fb19d2e (diff) | |
download | pango-ebdcfbeb5aeb3e827326844f2f942570e503e26a.tar.gz |
[HB] Fix invalid access / overflow on x86-64
Bug 591557 – [HB] crash scrolling the evolution message list
Bug 591576 – crashed with SIGSEGV at pango
-rw-r--r-- | pango/opentype/hb-ot-layout-gpos-private.hh | 21 | ||||
-rw-r--r-- | pango/opentype/hb-ot-layout-gsub-private.hh | 2 |
2 files changed, 12 insertions, 11 deletions
diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh index 307f2699..c7ac4f07 100644 --- a/pango/opentype/hb-ot-layout-gpos-private.hh +++ b/pango/opentype/hb-ot-layout-gpos-private.hh @@ -913,13 +913,14 @@ struct MarkBasePosFormat1 /* now we search backwards for a non-mark glyph */ unsigned int count = buffer->in_pos; - unsigned int i = 1, j = count - 1; - while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property)) + unsigned int i = 0, j = count; + do { if (HB_UNLIKELY (i == count)) return false; i++, j--; - } + } while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property)) + #if 0 /* The following assertion is too strong. */ if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_BASE_GLYPH)) @@ -1046,13 +1047,14 @@ struct MarkLigPosFormat1 /* now we search backwards for a non-mark glyph */ unsigned int count = buffer->in_pos; - unsigned int i = 1, j = count - 1; - while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property)) + unsigned int i = 0, j = count; + do { if (HB_UNLIKELY (i == count)) return false; i++, j--; - } + } while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), LookupFlag::IgnoreMarks, &property)); + #if 0 /* The following assertion is too strong. */ if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_LIGATURE)) @@ -1203,13 +1205,14 @@ struct MarkMarkPosFormat1 /* now we search backwards for a suitable mark glyph until a non-mark glyph */ unsigned int count = buffer->in_pos; - unsigned int i = 1, j = count - 1; - while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), lookup_flag, &property)) + unsigned int i = 0, j = count; + do { if (HB_UNLIKELY (i == count)) return false; i++, j--; - } + } while (_hb_ot_layout_skip_mark (context->face, IN_INFO (j), lookup_flag, &property)); + if (!(property & HB_OT_LAYOUT_GLYPH_CLASS_MARK)) return false; diff --git a/pango/opentype/hb-ot-layout-gsub-private.hh b/pango/opentype/hb-ot-layout-gsub-private.hh index 50b62861..af278295 100644 --- a/pango/opentype/hb-ot-layout-gsub-private.hh +++ b/pango/opentype/hb-ot-layout-gsub-private.hh @@ -798,11 +798,9 @@ struct SubstLookup : Lookup } if (ret) _hb_buffer_swap (buffer); - } else { - /* in-place backward substitution */ buffer->in_pos = buffer->in_length - 1; do |