blob: b3656d7b6166815af14f376d899cad7adbfecbf8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
CVE-2010-0421
--- a/pango/opentype/harfbuzz-gdef.c
+++ b/pango/opentype/harfbuzz-gdef.c
@@ -923,7 +923,7 @@ HB_Error HB_GDEF_Build_ClassDefinition(
goto Fail1;
}
- if ( gcrr[count - 1].End != num_glyphs - 1 )
+ if ( gcrr[count - 1].End + 1 < num_glyphs )
{
if ( ALLOC_ARRAY( ngc[count],
( num_glyphs - gcrr[count - 1].End + 2 ) / 4,
@@ -938,7 +938,9 @@ HB_Error HB_GDEF_Build_ClassDefinition(
HB_UShort ) )
goto Fail2;
}
-
+ else
+ num_glyphs = 1;
+
gdef->LastGlyph = num_glyphs - 1;
gdef->MarkAttachClassDef_offset = 0L;
@@ -996,6 +998,8 @@ _HB_GDEF_Add_Glyph_Property( HB_GDEFHead
HB_ClassRangeRecord* gcrr;
HB_UShort** ngc;
+ if ( glyphID >= gdef->LastGlyph )
+ return 0;
error = _HB_OPEN_Get_Class( &gdef->GlyphClassDef, glyphID, &class, &index );
if ( error && error != HB_Err_Not_Covered )
|
