Fix Savannah bug #41869. This works around a problem with HarfBuzz (<= 0.9.26), which doesn't validate glyph indices returned by `hb_ot_layout_lookup_collect_glyphs'. * src/autofit/hbshim.c (af_get_coverage): Guard `idx'. * docs/CHANGES: Updated.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
diff --git a/ChangeLog b/ChangeLog
index d1b6559..56b77d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2014-03-17 Werner Lemberg <wl@gnu.org>
+
+ Fix Savannah bug #41869.
+
+ This works around a problem with HarfBuzz (<= 0.9.26), which doesn't
+ validate glyph indices returned by
+ `hb_ot_layout_lookup_collect_glyphs'.
+
+ * src/autofit/hbshim.c (af_get_coverage): Guard `idx'.
+
+ * docs/CHANGES: Updated.
+
2014-03-14 Werner Lemberg <wl@gnu.org>
* builds/unix/configure.raw: Don't show error messages of `which'.
diff --git a/docs/CHANGES b/docs/CHANGES
index 803f02d..69e50b4 100644
--- a/docs/CHANGES
+++ b/docs/CHANGES
@@ -1,11 +1,20 @@
+CHANGES BETWEEN 2.5.3 and 2.5.4
+
+ I. IMPORTANT BUG FIXES
+
+ - The new auto-hinter code using HarfBuzz crashed for some invalid
+ fonts.
+
+
+======================================================================
CHANGES BETWEEN 2.5.2 and 2.5.3
I. IMPORTANT BUG FIXES
- - A vulnerability was identified and fixed in the new CFF driver
- (cf. http://savannah.nongnu.org/bugs/?41697; it doesn't have a
- CVE number yet). All users should upgrade.
+ - A vulnerability (CVE-2014-2240) was identified and fixed in the
+ new CFF driver (cf. http://savannah.nongnu.org/bugs/?41697).
+ All users should upgrade.
- More bug fixes related to correct positioning of composite
glyphs.
diff --git a/src/autofit/hbshim.c b/src/autofit/hbshim.c
index 11fb743..2eda8d7 100644
--- a/src/autofit/hbshim.c
+++ b/src/autofit/hbshim.c
@@ -347,6 +347,11 @@
count++;
#endif
+ /* HarfBuzz 0.9.26 and older doesn't validate glyph indices */
+ /* returned by `hb_ot_layout_lookup_collect_glyphs'... */
+ if ( idx >= (hb_codepoint_t)globals->glyph_count )
+ continue;
+
if ( gstyles[idx] == AF_STYLE_UNASSIGNED )
gstyles[idx] = (FT_Byte)style_class->style;
#ifdef FT_DEBUG_LEVEL_TRACE