changeset 8822:113968fa7826

8219066: Fuzzing TrueType fonts: setCurrGlyphID() Reviewed-by: andrew, mbalao Contributed-by: Martin Balao <mbalao@redhat.com>
author bae
date Wed, 03 Apr 2019 03:51:25 +0100
parents 5b9d760136e8
children b00a29a55d68
files src/share/native/sun/font/layout/ContextualSubstSubtables.cpp src/share/native/sun/font/layout/GlyphIterator.cpp src/share/native/sun/font/layout/SubstitutionLookups.cpp
diffstat 3 files changed, 18 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp	Wed Apr 10 04:00:33 2019 +0100
+++ b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -67,7 +67,10 @@
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArrayPtr[subst].lookupListIndex);
 
         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }
 
         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }
--- a/src/share/native/sun/font/layout/GlyphIterator.cpp	Wed Apr 10 04:00:33 2019 +0100
+++ b/src/share/native/sun/font/layout/GlyphIterator.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -224,6 +224,16 @@
 
 void GlyphIterator::setCurrGlyphID(TTGlyphID glyphID)
 {
+    if (direction < 0) {
+        if (position <= nextLimit || position >= prevLimit) {
+            return;
+        }
+    } else {
+        if (position <= prevLimit || position >= nextLimit) {
+            return;
+        }
+    }
+
     LEGlyphID glyph = glyphStorage[position];
 
     glyphStorage[position] = LE_SET_GLYPH(glyph, glyphID);
--- a/src/share/native/sun/font/layout/SubstitutionLookups.cpp	Wed Apr 10 04:00:33 2019 +0100
+++ b/src/share/native/sun/font/layout/SubstitutionLookups.cpp	Wed Apr 03 03:51:25 2019 +0100
@@ -67,7 +67,10 @@
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArray[subst].lookupListIndex);
 
         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }
 
         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }