[HB] Sanitize DeviceTable

3 files changed, 19 insertions, 8 deletions

diff --git a/pango/opentype/hb-open-types-private.hh b/pango/opentype/hb-open-types-private.hh
index bc9bf860..2c39c35b 100644
--- a/pango/opentype/hb-open-types-private.hh
+++ b/pango/opentype/hb-open-types-private.hh
@@ -76,7 +76,7 @@ struct _hb_sanitize_context_t
 
 #define SANITIZE_SELF() SANITIZE_OBJ (*this)
 #define SANITIZE_OBJ(X) SANITIZE_MEM(&(X), sizeof (X))
-#define SANITIZE_GET_SIZE() SANITIZE_MEM (this, this->get_size ())
+#define SANITIZE_GET_SIZE() SANITIZE_SELF() && SANITIZE_MEM (this, this->get_size ())
 
 #define SANITIZE_MEM(B,L) HB_LIKELY (context->start <= CONST_CHARP(B) && CONST_CHARP(B) + (L) <= context->end) /* XXX overflow */
 
@@ -376,7 +376,7 @@ struct GenericArrayOf
   { return sizeof (len) + len * sizeof (array[0]); }
 
   inline bool sanitize (SANITIZE_ARG_DEF) {
-    if (!(SANITIZE (len) && SANITIZE_GET_SIZE())) return false;
+    if (!SANITIZE_GET_SIZE()) return false;
     /* Note; for non-recursive types, this is not much needed
     unsigned int count = len;
     for (unsigned int i = 0; i < count; i++)
@@ -385,7 +385,7 @@ struct GenericArrayOf
     */
   }
   inline bool sanitize (SANITIZE_ARG_DEF, const void *base) {
-    if (!(SANITIZE (len) && SANITIZE_GET_SIZE())) return false;
+    if (!SANITIZE_GET_SIZE()) return false;
     unsigned int count = len;
     for (unsigned int i = 0; i < count; i++)
       if (!array[i].sanitize (SANITIZE_ARG, base))
@@ -430,7 +430,7 @@ struct HeadlessArrayOf
   { return sizeof (len) + (len ? len - 1 : 0) * sizeof (array[0]); }
 
   inline bool sanitize (SANITIZE_ARG_DEF) {
-    if (!(SANITIZE_SELF () && SANITIZE_GET_SIZE())) return false;
+    if (!SANITIZE_GET_SIZE()) return false;
     unsigned int count = len ? len - 1 : 0;
     /* Note; for non-recursive types, this is not much needed
     for (unsigned int i = 0; i < count; i++)
diff --git a/pango/opentype/hb-ot-layout-common-private.hh b/pango/opentype/hb-ot-layout-common-private.hh
index 6720b600..7317f5c3 100644
--- a/pango/opentype/hb-ot-layout-common-private.hh
+++ b/pango/opentype/hb-ot-layout-common-private.hh
@@ -357,7 +357,7 @@ struct Coverage
     }
   }
 
-  inline bool sanitize (SANITIZE_ARG_DEF) {
+  bool sanitize (SANITIZE_ARG_DEF) {
     if (!SANITIZE (u.format)) return false;
     switch (u.format) {
     case 1: return u.format1->sanitize (SANITIZE_ARG);
@@ -469,7 +469,7 @@ struct ClassDef
     }
   }
 
-  inline bool sanitize (SANITIZE_ARG_DEF) {
+  bool sanitize (SANITIZE_ARG_DEF) {
     if (!SANITIZE (u.format)) return false;
     switch (u.format) {
     case 1: return u.format1->sanitize (SANITIZE_ARG);
@@ -494,6 +494,8 @@ ASSERT_SIZE (ClassDef, 2);
 
 struct Device
 {
+  inline int operator() (unsigned int ppem_size) const { return get_delta (ppem_size); }
+
   int get_delta (unsigned int ppem_size) const
   {
     unsigned int f = deltaFormat;
@@ -517,7 +519,16 @@ struct Device
     return delta;
   }
 
-  inline int operator() (unsigned int ppem_size) const { return get_delta (ppem_size); }
+  inline unsigned int get_size () const
+  {
+    unsigned int f = deltaFormat;
+    if (HB_UNLIKELY (f < 1 || f > 3 || startSize > endSize)) return sizeof (*this);
+    return sizeof (*this) + ((endSize - startSize + (1 << (4 - f)) - 1) >> (4 - f));
+  }
+
+  bool sanitize (SANITIZE_ARG_DEF) {
+    return SANITIZE_GET_SIZE ();
+  }
 
   private:
   USHORT	startSize;	/* Smallest size to correct--in ppem */
diff --git a/pango/opentype/hb-ot-layout-gsub-private.hh b/pango/opentype/hb-ot-layout-gsub-private.hh
index 09b17aff..91a2564f 100644
--- a/pango/opentype/hb-ot-layout-gsub-private.hh
+++ b/pango/opentype/hb-ot-layout-gsub-private.hh
@@ -680,7 +680,7 @@ struct SubstLookupSubTable
     }
   }
 
-  inline bool sanitize (SANITIZE_ARG_DEF) {
+  bool sanitize (SANITIZE_ARG_DEF) {
     if (!SANITIZE (u.format)) return false;
     switch (u.format) {
     case Single:		return u.single->sanitize (SANITIZE_ARG);