Commit 23367ff97f33ef6a2b7e1fced1157c87a46d9596

Werner Lemberg 2014-03-17T07:33:14

Fix Savannah bug #41869. This works around a problem with HarfBuzz (<= 0.9.26), which doesn't validate glyph indices returned by `hb_ot_layout_lookup_collect_glyphs'. * src/autofit/hbshim.c (af_get_coverage): Guard `idx'. * docs/CHANGES: Updated.

diff --git a/ChangeLog b/ChangeLog
index d1b6559..56b77d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2014-03-17  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #41869.
+
+	This works around a problem with HarfBuzz (<= 0.9.26), which doesn't
+	validate glyph indices returned by
+	`hb_ot_layout_lookup_collect_glyphs'.
+
+	* src/autofit/hbshim.c (af_get_coverage): Guard `idx'.
+
+	* docs/CHANGES: Updated.
+
 2014-03-14  Werner Lemberg  <wl@gnu.org>
 
 	* builds/unix/configure.raw: Don't show error messages of `which'.
diff --git a/docs/CHANGES b/docs/CHANGES
index 803f02d..69e50b4 100644
--- a/docs/CHANGES
+++ b/docs/CHANGES
@@ -1,11 +1,20 @@
+CHANGES BETWEEN 2.5.3 and 2.5.4
+
+  I. IMPORTANT BUG FIXES
+
+    - The new auto-hinter code using HarfBuzz crashed for some invalid
+      fonts.
+
+
+======================================================================
 
 CHANGES BETWEEN 2.5.2 and 2.5.3
 
   I. IMPORTANT BUG FIXES
 
-    - A vulnerability was  identified and fixed in the  new CFF driver
-      (cf. http://savannah.nongnu.org/bugs/?41697;  it doesn't  have a
-      CVE number yet).  All users should upgrade.
+    - A vulnerability (CVE-2014-2240) was  identified and fixed in the
+      new  CFF  driver  (cf.  http://savannah.nongnu.org/bugs/?41697).
+      All users should upgrade.
 
     - More  bug  fixes related  to  correct  positioning of  composite
       glyphs.
diff --git a/src/autofit/hbshim.c b/src/autofit/hbshim.c
index 11fb743..2eda8d7 100644
--- a/src/autofit/hbshim.c
+++ b/src/autofit/hbshim.c
@@ -347,6 +347,11 @@
       count++;
 #endif
 
+      /* HarfBuzz 0.9.26 and older doesn't validate glyph indices */
+      /* returned by `hb_ot_layout_lookup_collect_glyphs'...      */
+      if ( idx >= (hb_codepoint_t)globals->glyph_count )
+        continue;
+
       if ( gstyles[idx] == AF_STYLE_UNASSIGNED )
         gstyles[idx] = (FT_Byte)style_class->style;
 #ifdef FT_DEBUG_LEVEL_TRACE