[OTLayout] Protect against out-of-range lookup indices
Filter them out when compiling map.
diff --git a/src/hb-ot-layout.cc b/src/hb-ot-layout.cc
index 80d92b4..07c093f 100644
--- a/src/hb-ot-layout.cc
+++ b/src/hb-ot-layout.cc
@@ -414,6 +414,23 @@
return f.get_lookup_indexes (start_offset, lookup_count, lookup_indexes);
}
+unsigned int
+hb_ot_layout_table_get_lookup_count (hb_face_t *face,
+ hb_tag_t table_tag)
+{
+ switch (table_tag)
+ {
+ case HB_OT_TAG_GSUB:
+ {
+ return hb_ot_layout_from_face (face)->gsub_lookup_count;
+ }
+ case HB_OT_TAG_GPOS:
+ {
+ return hb_ot_layout_from_face (face)->gpos_lookup_count;
+ }
+ }
+}
+
static void
_hb_ot_layout_collect_lookups_lookups (hb_face_t *face,
hb_tag_t table_tag,
diff --git a/src/hb-ot-layout.h b/src/hb-ot-layout.h
index d2a314c..dfc7f24 100644
--- a/src/hb-ot-layout.h
+++ b/src/hb-ot-layout.h
@@ -180,6 +180,11 @@
unsigned int *lookup_count /* IN/OUT */,
unsigned int *lookup_indexes /* OUT */);
+unsigned int
+hb_ot_layout_table_get_lookup_count (hb_face_t *face,
+ hb_tag_t table_tag);
+
+
void
hb_ot_layout_collect_lookups (hb_face_t *face,
hb_tag_t table_tag,
diff --git a/src/hb-ot-map.cc b/src/hb-ot-map.cc
index 43856fa..17dc934 100644
--- a/src/hb-ot-map.cc
+++ b/src/hb-ot-map.cc
@@ -40,6 +40,9 @@
{
unsigned int lookup_indices[32];
unsigned int offset, len;
+ unsigned int table_lookup_count;
+
+ table_lookup_count = hb_ot_layout_table_get_lookup_count (face, table_tags[table_index]);
offset = 0;
do {
@@ -50,7 +53,10 @@
offset, &len,
lookup_indices);
- for (unsigned int i = 0; i < len; i++) {
+ for (unsigned int i = 0; i < len; i++)
+ {
+ if (lookup_indices[i] >= table_lookup_count)
+ continue;
hb_ot_map_t::lookup_map_t *lookup = lookups[table_index].push ();
if (unlikely (!lookup))
return;
