diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2018-10-20 12:09:41 -0700 |
---|---|---|
committer | Behdad Esfahbod <behdad@behdad.org> | 2018-10-20 12:20:57 -0700 |
commit | 68b705076808d4b0a4ac3bfa945b8f9ae23db1df (patch) | |
tree | 29e5733875788b706594d5777e1e51a10448a835 | |
parent | 00fdbca4f6a5c4623b9c4838da502cccce8aaa74 (diff) |
[kerx] Fix sanitize of KerxSubtableFormat2::array read
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11033
-rw-r--r-- | src/hb-aat-layout-kerx-table.hh | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index 64257809..e8eb43b8 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh @@ -103,7 +103,8 @@ struct KerxSubTableFormat0 inline bool sanitize (hb_sanitize_context_t *c) const { TRACE_SANITIZE (this); - return_trace (likely (pairs.sanitize (c))); + return_trace (likely (c->check_struct (this) && + pairs.sanitize (c))); } protected: @@ -275,7 +276,7 @@ struct KerxSubTableFormat2 inline bool sanitize (hb_sanitize_context_t *c) const { TRACE_SANITIZE (this); - return_trace (likely (rowWidth.sanitize (c) && + return_trace (likely (c->check_struct (this) && leftClassTable.sanitize (c, this) && rightClassTable.sanitize (c, this) && c->check_range (this, array))); |