From faddba4474467661ea8d2ba2055c051c7590da96 Mon Sep 17 00:00:00 2001 From: suzuki toshiya Date: Sat, 8 Oct 2011 01:30:49 +0900 Subject: [PATCH] [gxvalid] Fix a bug to detect too large offset in morx table. * src/gxvalid/gxvmorx2.c (gxv_morx_subtable_type2_ligActionIndex_validate): Fix a bug that too large positive offset cannot be detected. --- ChangeLog | 8 ++++++++ src/gxvalid/gxvmorx2.c | 10 ++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index cfc74cc0a..3db02a4a2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2011-10-07 suzuki toshiya + + [gxvalid] Fix a bug to detect too large offset in morx table. + + * src/gxvalid/gxvmorx2.c + (gxv_morx_subtable_type2_ligActionIndex_validate): Fix a bug + that too large positive offset cannot be detected. + 2011-10-01 Braden Thomas Handle some border cases. diff --git a/src/gxvalid/gxvmorx2.c b/src/gxvalid/gxvmorx2.c index bc18c6b8a..9d2b0bc4a 100644 --- a/src/gxvalid/gxvmorx2.c +++ b/src/gxvalid/gxvmorx2.c @@ -173,6 +173,7 @@ FT_UShort store; #endif FT_ULong offset; + FT_Long gid_limit; lig_action = FT_NEXT_ULONG( p ); @@ -186,8 +187,9 @@ /* this offset is 30-bit signed value to add to GID */ /* it is different from the location offset in mort */ if ( ( offset & 0x3FFF0000UL ) == 0x3FFF0000UL ) - { - if ( offset + valid->face->num_glyphs > 0x40000000UL ) + { /* negative offset */ + gid_limit = valid->face->num_glyphs - ( offset & 0x0000FFFFUL ); + if ( gid_limit > 0 ) return; GXV_TRACE(( "ligature action table includes" @@ -197,8 +199,8 @@ GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET ); } else if ( ( offset & 0x3FFF0000UL ) == 0x0000000UL ) - { - if ( offset + valid->face->num_glyphs < 0 ) + { /* positive offset */ + if ( (FT_Long)offset < valid->face->num_glyphs ) return; GXV_TRACE(( "ligature action table includes"