diff options
Diffstat (limited to 'src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh')
-rw-r--r-- | src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh b/src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh index 923a32b26f..4fdba197ac 100644 --- a/src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh +++ b/src/3rdparty/harfbuzz-ng/src/hb-ot-cff-common.hh @@ -78,7 +78,8 @@ struct CFFIndex hb_requires (hb_is_iterable (Iterable))> bool serialize (hb_serialize_context_t *c, const Iterable &iterable, - const unsigned *p_data_size = nullptr) + const unsigned *p_data_size = nullptr, + unsigned min_off_size = 0) { TRACE_SERIALIZE (this); unsigned data_size; @@ -88,7 +89,7 @@ struct CFFIndex total_size (iterable, &data_size); auto it = hb_iter (iterable); - if (unlikely (!serialize_header (c, +it, data_size))) return_trace (false); + if (unlikely (!serialize_header (c, +it, data_size, min_off_size))) return_trace (false); unsigned char *ret = c->allocate_size<unsigned char> (data_size, false); if (unlikely (!ret)) return_trace (false); for (const auto &_ : +it) @@ -111,11 +112,13 @@ struct CFFIndex hb_requires (hb_is_iterator (Iterator))> bool serialize_header (hb_serialize_context_t *c, Iterator it, - unsigned data_size) + unsigned data_size, + unsigned min_off_size = 0) { TRACE_SERIALIZE (this); unsigned off_size = (hb_bit_storage (data_size + 1) + 7) / 8; + off_size = hb_max(min_off_size, off_size); /* serialize CFFIndex header */ if (unlikely (!c->extend_min (this))) return_trace (false); @@ -195,7 +198,7 @@ struct CFFIndex template <typename Iterable, hb_requires (hb_is_iterable (Iterable))> - static unsigned total_size (const Iterable &iterable, unsigned *data_size = nullptr) + static unsigned total_size (const Iterable &iterable, unsigned *data_size = nullptr, unsigned min_off_size = 0) { auto it = + hb_iter (iterable); if (!it) @@ -211,6 +214,7 @@ struct CFFIndex if (data_size) *data_size = total; unsigned off_size = (hb_bit_storage (total + 1) + 7) / 8; + off_size = hb_max(min_off_size, off_size); return min_size + HBUINT8::static_size + (hb_len (it) + 1) * off_size + total; } @@ -274,8 +278,10 @@ struct CFFIndex { TRACE_SANITIZE (this); return_trace (likely (c->check_struct (this) && + hb_barrier () && (count == 0 || /* empty INDEX */ (count < count + 1u && + hb_barrier () && c->check_struct (&offSize) && offSize >= 1 && offSize <= 4 && c->check_array (offsets, offSize, count + 1u) && c->check_array ((const HBUINT8*) data_base (), 1, offset_at (count)))))); @@ -412,6 +418,7 @@ struct FDSelect0 { TRACE_SANITIZE (this); if (unlikely (!(c->check_struct (this)))) return_trace (false); + hb_barrier (); if (unlikely (!c->check_array (fds, c->get_num_glyphs ()))) return_trace (false); @@ -438,7 +445,9 @@ struct FDSelect3_4_Range bool sanitize (hb_sanitize_context_t *c, const void * /*nullptr*/, unsigned int fdcount) const { TRACE_SANITIZE (this); - return_trace (first < c->get_num_glyphs () && (fd < fdcount)); + return_trace (c->check_struct (this) && + hb_barrier () && + first < c->get_num_glyphs () && (fd < fdcount)); } GID_TYPE first; @@ -456,15 +465,20 @@ struct FDSelect3_4 bool sanitize (hb_sanitize_context_t *c, unsigned int fdcount) const { TRACE_SANITIZE (this); - if (unlikely (!c->check_struct (this) || !ranges.sanitize (c, nullptr, fdcount) || - (nRanges () == 0) || ranges[0].first != 0)) + if (unlikely (!(c->check_struct (this) && + ranges.sanitize (c, nullptr, fdcount) && + hb_barrier () && + (nRanges () != 0) && + ranges[0].first == 0))) return_trace (false); for (unsigned int i = 1; i < nRanges (); i++) if (unlikely (ranges[i - 1].first >= ranges[i].first)) return_trace (false); - if (unlikely (!sentinel().sanitize (c) || (sentinel() != c->get_num_glyphs ()))) + if (unlikely (!(sentinel().sanitize (c) && + hb_barrier () && + (sentinel() == c->get_num_glyphs ())))) return_trace (false); return_trace (true); @@ -559,6 +573,7 @@ struct FDSelect TRACE_SANITIZE (this); if (unlikely (!c->check_struct (this))) return_trace (false); + hb_barrier (); switch (format) { |