summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBehdad Esfahbod <behdad@behdad.org>2018-10-11 15:56:17 -0400
committerBehdad Esfahbod <behdad@behdad.org>2018-10-11 15:56:17 -0400
commite940530c9723c3a581a5d5b31e5f419865dd6cc7 (patch)
tree97f067be192d7e80d1f9e81fda0367ab6e6cdd18
parent1d995a340b9e17fc8dca7a3e88e0918de2d8f02c (diff)
[aat] Fix mul overflow
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10897
Diffstat
-rw-r--r--src/hb-aat-layout-common.hh11
1 files changed, 8 insertions, 3 deletions
diff --git a/src/hb-aat-layout-common.hh b/src/hb-aat-layout-common.hh
index 78a27a74..5be3d372 100644
--- a/src/hb-aat-layout-common.hh
+++ b/src/hb-aat-layout-common.hh
@@ -386,6 +386,8 @@ struct StateTable
const HBUINT16 *states = (this+stateArrayTable).arrayZ;
const Entry<Extra> *entries = (this+entryTable).arrayZ;
+ unsigned int num_classes = nClasses;
+
unsigned int num_states = 1;
unsigned int num_entries = 0;
@@ -393,13 +395,16 @@ struct StateTable
unsigned int entry = 0;
while (state < num_states)
{
+ if (unlikely (hb_unsigned_mul_overflows (num_classes, states[0].static_size)))
+ return_trace (false);
+
if (unlikely (!c->check_array (states,
num_states,
- states[0].static_size * nClasses)))
+ num_classes * states[0].static_size)))
return_trace (false);
{ /* Sweep new states. */
- const HBUINT16 *stop = &states[num_states * nClasses];
- for (const HBUINT16 *p = &states[state * nClasses]; p < stop; p++)
+ const HBUINT16 *stop = &states[num_states * num_classes];
+ for (const HBUINT16 *p = &states[state * num_classes]; p < stop; p++)
num_entries = MAX<unsigned int> (num_entries, *p + 1);
state = num_states;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 01:51:27 +0000