< prev index next >
src/java.desktop/share/native/libfontmanager/harfbuzz/hb-ot-layout-common-private.hh
Print this page
@@ -830,21 +830,33 @@
inline void init (const CoverageFormat2 &c_)
{
c = &c_;
coverage = 0;
i = 0;
- j = c->rangeRecord.len ? c_.rangeRecord[0].start : 0;
+ j = c->rangeRecord.len ? c->rangeRecord[0].start : 0;
+ if (unlikely (c->rangeRecord[0].start > c->rangeRecord[0].end))
+ {
+ /* Broken table. Skip. */
+ i = c->rangeRecord.len;
+ }
}
inline bool more (void) { return i < c->rangeRecord.len; }
inline void next (void)
{
if (j >= c->rangeRecord[i].end)
{
i++;
if (more ())
{
+ hb_codepoint_t old = j;
j = c->rangeRecord[i].start;
+ if (unlikely (j <= old))
+ {
+ /* Broken table. Skip. Important to avoid DoS. */
+ i = c->rangeRecord.len;
+ return;
+ }
coverage = c->rangeRecord[i].value;
}
return;
}
coverage++;
@@ -853,11 +865,12 @@
inline hb_codepoint_t get_glyph (void) { return j; }
inline unsigned int get_coverage (void) { return coverage; }
private:
const struct CoverageFormat2 *c;
- unsigned int i, j, coverage;
+ unsigned int i, coverage;
+ hb_codepoint_t j;
};
private:
protected:
HBUINT16 coverageFormat; /* Format identifier--format = 2 */
< prev index next >