diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2018-10-15 11:15:54 -0700 |
---|---|---|
committer | Behdad Esfahbod <behdad@behdad.org> | 2018-10-15 11:15:54 -0700 |
commit | 0f85edb7781f4d5ec2de676979be75a0f6559d80 (patch) | |
tree | 14db8258ed553e4d277f18702429f283638e9195 | |
parent | 55d5ea666c25f75e9b1bc2eb43cfb104a16ebe04 (diff) |
[morx] Another end-of-text corner case
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10990
-rw-r--r-- | src/hb-aat-layout-morx-table.hh | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh index 8446a862..c88e7a72 100644 --- a/src/hb-aat-layout-morx-table.hh +++ b/src/hb-aat-layout-morx-table.hh @@ -412,6 +412,8 @@ struct LigatureSubtable if (uoffset & 0x20000000) uoffset += 0xC0000000; int32_t offset = (int32_t) uoffset; + if (buffer->idx >= buffer->len) + return false; // TODO Work on previous instead? unsigned int component_idx = buffer->cur().codepoint + offset; const HBUINT16 &componentData = component[component_idx]; |