diff options
| author | Luca Bacci <luca.bacci982@gmail.com> | 2023-04-18 19:16:27 +0200 |
|---|---|---|
| committer | Luca Bacci <luca.bacci982@gmail.com> | 2023-04-19 14:19:06 +0200 |
| commit | b067284615c7e1334ef74a645853e401cb949e33 (patch) | |
| tree | 33643518b5a0507f743bd69a5c576712b6d21038 | |
| parent | 9b9e86629eae7c757a467d8c825c3929f27ebc3c (diff) | |
| download | pango-b067284615c7e1334ef74a645853e401cb949e33.tar.gz | |
DWrite: Check length of the font table
Fixes https://gitlab.com/inkscape/inkscape/-/issues/4224
| -rw-r--r-- | pango/pangowin32-dwrite-fontmap.cpp | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/pango/pangowin32-dwrite-fontmap.cpp b/pango/pangowin32-dwrite-fontmap.cpp index 2db0972a..7e712b57 100644 --- a/pango/pangowin32-dwrite-fontmap.cpp +++ b/pango/pangowin32-dwrite-fontmap.cpp @@ -512,22 +512,30 @@ pango_win32_dwrite_font_check_is_hinted (PangoWin32Font *font) &table_ctx, &exists))) { - if (exists) + if (exists && table_size > 4) { guint16 version = DWRITE_NEXT_USHORT (table_data); if (version == 0 || version == 1) { guint16 num_ranges = DWRITE_NEXT_USHORT (table_data); - guint16 i; + UINT32 max_ranges = (table_size - 4) / (sizeof (guint16) * 2); + guint16 i = 0; - for (i = 0; !result && i < num_ranges && i < (table_size / sizeof (guint16)); i ++) + if (num_ranges > max_ranges) + num_ranges = max_ranges; + + for (i = 0; i < num_ranges; i++) { + G_GNUC_UNUSED guint16 ppem = DWRITE_NEXT_USHORT (table_data); guint16 behavior = DWRITE_NEXT_USHORT (table_data); if (behavior & (GASP_GRIDFIT | GASP_SYMMETRIC_GRIDFIT)) - result = TRUE; + { + result = TRUE; + break; + } } } } |