usp10: Range check glyph counts in GPOS_apply_ContextPos().

Signed-off-by: Henri Verbeet <hverbeet@codeweavers.com> Signed-off-by: Aric Stewart <aric@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

usp10: Range check glyph counts in GPOS_apply_ContextPos().
1b02c1ac · Henri Verbeet · Alexandre Julliard · d1ca880e · 1b02c1ac
Commit 1b02c1ac authored Apr 17, 2017 by Henri Verbeet Committed by Alexandre Julliard Apr 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

opentype.c dlls/usp10/opentype.c +6 -0

No files found.
--- a/dlls/usp10/opentype.c
+++ b/dlls/usp10/opentype.c
@@ -2166,12 +2166,18 @@ static unsigned int GPOS_apply_ContextPos(const ScriptCache *script_cache, const
                {
                    const GPOS_PosClassRule_1 *pr;
                    const GPOS_PosClassRule_2 *pr_2;
+                    unsigned int g;
                    int g_count, l;
                    offset = GET_BE_WORD(pcs->PosClassRule[k]);
                    pr = (const GPOS_PosClassRule_1*)((const BYTE*)pcs+offset);
                    g_count = GET_BE_WORD(pr->GlyphCount);
                    TRACE("PosClassRule has %i glyphs classes\n",g_count);
+                    g = glyph_index + write_dir * (g_count - 1);
+                    if (g >= glyph_count)
+                        continue;
                    for (l = 0; l < g_count-1; l++)
                    {
                        int g_class = OT_get_glyph_class(glyph_class_table, glyphs[glyph_index + (write_dir * (l+1))]);