Commit faddba4474467661ea8d2ba2055c051c7590da96
2011-10-08T01:30:49
[gxvalid] Fix a bug to detect too large offset in morx table. * src/gxvalid/gxvmorx2.c (gxv_morx_subtable_type2_ligActionIndex_validate): Fix a bug that too large positive offset cannot be detected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
diff --git a/ChangeLog b/ChangeLog
index cfc74cc..3db02a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2011-10-07 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+
+ [gxvalid] Fix a bug to detect too large offset in morx table.
+
+ * src/gxvalid/gxvmorx2.c
+ (gxv_morx_subtable_type2_ligActionIndex_validate): Fix a bug
+ that too large positive offset cannot be detected.
+
2011-10-01 Braden Thomas <bthomas@apple.com>
Handle some border cases.
diff --git a/src/gxvalid/gxvmorx2.c b/src/gxvalid/gxvmorx2.c
index bc18c6b..9d2b0bc 100644
--- a/src/gxvalid/gxvmorx2.c
+++ b/src/gxvalid/gxvmorx2.c
@@ -173,6 +173,7 @@
FT_UShort store;
#endif
FT_ULong offset;
+ FT_Long gid_limit;
lig_action = FT_NEXT_ULONG( p );
@@ -186,8 +187,9 @@
/* this offset is 30-bit signed value to add to GID */
/* it is different from the location offset in mort */
if ( ( offset & 0x3FFF0000UL ) == 0x3FFF0000UL )
- {
- if ( offset + valid->face->num_glyphs > 0x40000000UL )
+ { /* negative offset */
+ gid_limit = valid->face->num_glyphs - ( offset & 0x0000FFFFUL );
+ if ( gid_limit > 0 )
return;
GXV_TRACE(( "ligature action table includes"
@@ -197,8 +199,8 @@
GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET );
}
else if ( ( offset & 0x3FFF0000UL ) == 0x0000000UL )
- {
- if ( offset + valid->face->num_glyphs < 0 )
+ { /* positive offset */
+ if ( (FT_Long)offset < valid->face->num_glyphs )
return;
GXV_TRACE(( "ligature action table includes"