diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2009-03-02 15:16:11 +0330 |
---|---|---|
committer | Behdad Esfahbod <behdad@behdad.org> | 2009-03-02 15:16:11 +0330 |
commit | fab7a104d5c6f3182fe9bdc84bfcba5807f87f8a (patch) | |
tree | 67338887bb0516bf99c0d5230da2a4132c106fc3 /pango | |
parent | caaa5d09e10d4fe01ef986c9a95826c3cbb13cfa (diff) | |
download | pango-fab7a104d5c6f3182fe9bdc84bfcba5807f87f8a.tar.gz |
[opentype] Protect against illegal access for arrays of length zero
Diffstat (limited to 'pango')
-rw-r--r-- | pango/opentype/harfbuzz-gpos.c | 22 | ||||
-rw-r--r-- | pango/opentype/harfbuzz-gsub.c | 6 |
2 files changed, 24 insertions, 4 deletions
diff --git a/pango/opentype/harfbuzz-gpos.c b/pango/opentype/harfbuzz-gpos.c index 2961940c..c78dcba4 100644 --- a/pango/opentype/harfbuzz-gpos.c +++ b/pango/opentype/harfbuzz-gpos.c @@ -2080,9 +2080,13 @@ static void Free_BaseArray( HB_BaseArray* ba, if ( ba->BaseRecord ) { br = ba->BaseRecord; - bans = br[0].BaseAnchor; - FREE( bans ); + if ( ba->BaseCount ) + { + bans = br[0].BaseAnchor; + FREE( bans ); + } + FREE( br ); } } @@ -2811,9 +2815,13 @@ static void Free_Mark2Array( HB_Mark2Array* m2a, if ( m2a->Mark2Record ) { m2r = m2a->Mark2Record; - m2ans = m2r[0].Mark2Anchor; - FREE( m2ans ); + if ( m2a->Mark2Count ) + { + m2ans = m2r[0].Mark2Anchor; + FREE( m2ans ); + } + FREE( m2r ); } } @@ -3857,6 +3865,9 @@ static HB_Error Lookup_ContextPos2( GPOS_Instance* gpi, if ( error ) return error; + if (cpf2->MaxContextLength < 1) + return HB_Err_Not_Covered; + if ( ALLOC_ARRAY( classes, cpf2->MaxContextLength, HB_UShort ) ) return error; @@ -5139,6 +5150,9 @@ static HB_Error Lookup_ChainContextPos2( return error; known_backtrack_classes = 0; + if (ccpf2->MaxInputLength < 1) + return HB_Err_Not_Covered; + if ( ALLOC_ARRAY( input_classes, ccpf2->MaxInputLength, HB_UShort ) ) goto End3; known_input_classes = 1; diff --git a/pango/opentype/harfbuzz-gsub.c b/pango/opentype/harfbuzz-gsub.c index f504bf0e..c05f20db 100644 --- a/pango/opentype/harfbuzz-gsub.c +++ b/pango/opentype/harfbuzz-gsub.c @@ -1896,6 +1896,9 @@ static HB_Error Lookup_ContextSubst2( HB_GSUBHeader* gsub, if ( error ) return error; + if (csf2->MaxContextLength < 1) + return HB_Err_Not_Covered; + if ( ALLOC_ARRAY( classes, csf2->MaxContextLength, HB_UShort ) ) return error; @@ -3159,6 +3162,9 @@ static HB_Error Lookup_ChainContextSubst2( HB_GSUBHeader* gsub, return error; known_backtrack_classes = 0; + if (ccsf2->MaxInputLength < 1) + return HB_Err_Not_Covered; + if ( ALLOC_ARRAY( input_classes, ccsf2->MaxInputLength, HB_UShort ) ) goto End3; known_input_classes = 1; |