Merge branch 'check-length-of-font-table' into 'main'

DWrite: Check length of the font table See merge request GNOME/pango!689
author: Matthias Clasen <mclasen@redhat.com> 2023-05-02 03:40:13 +0000
committer: Matthias Clasen <mclasen@redhat.com> 2023-05-02 03:40:13 +0000
commit: b446637f4a4cbc8018151d1a7186644cdcad8455 (patch)
tree: 2666321001522ffff439179d0db5ef1bf380b12e
parent: c27adf341e7da5c33b2c05f78fb997339b2e2625 (diff)
parent: b067284615c7e1334ef74a645853e401cb949e33 (diff)
download: pango-b446637f4a4cbc8018151d1a7186644cdcad8455.tar.gz
1 files changed, 12 insertions, 4 deletions
diff --git a/pango/pangowin32-dwrite-fontmap.cpp b/pango/pangowin32-dwrite-fontmap.cpp
index 2db0972a..7e712b57 100644
--- a/pango/pangowin32-dwrite-fontmap.cpp
+++ b/pango/pangowin32-dwrite-fontmap.cpp
@@ -512,22 +512,30 @@ pango_win32_dwrite_font_check_is_hinted (PangoWin32Font *font)
                                                        &table_ctx,
                                                        &exists)))
         {
-          if (exists)
+          if (exists && table_size > 4)
             {
               guint16 version = DWRITE_NEXT_USHORT (table_data);
 
               if (version == 0 || version == 1)
                 {
                   guint16 num_ranges = DWRITE_NEXT_USHORT (table_data);
-                  guint16 i;
+                  UINT32 max_ranges = (table_size - 4) / (sizeof (guint16) * 2);
+                  guint16 i = 0;
 
-                  for (i = 0; !result && i < num_ranges && i < (table_size / sizeof (guint16)); i ++)
+                  if (num_ranges > max_ranges)
+                    num_ranges = max_ranges;
+
+                  for (i = 0; i < num_ranges; i++)
                     {
+                      G_GNUC_UNUSED
                       guint16 ppem = DWRITE_NEXT_USHORT (table_data);
                       guint16 behavior = DWRITE_NEXT_USHORT (table_data);
 
                       if (behavior & (GASP_GRIDFIT | GASP_SYMMETRIC_GRIDFIT))
-                        result = TRUE;
+                        {
+                          result = TRUE;
+                          break;
+                        }
                     }
                 }
             }
author	Matthias Clasen <mclasen@redhat.com>	2023-05-02 03:40:13 +0000
committer	Matthias Clasen <mclasen@redhat.com>	2023-05-02 03:40:13 +0000
commit	b446637f4a4cbc8018151d1a7186644cdcad8455 (patch)
tree	2666321001522ffff439179d0db5ef1bf380b12e
parent	c27adf341e7da5c33b2c05f78fb997339b2e2625 (diff)
parent	b067284615c7e1334ef74a645853e401cb949e33 (diff)
download	pango-b446637f4a4cbc8018151d1a7186644cdcad8455.tar.gz