| commit | 85630996b8afa699f7b5d19346cdf5c72fcd6e2d | [log] [tgz] |
|---|---|---|
| author | Behdad Esfahbod <behdad@behdad.org> | Sat Feb 25 13:30:38 2017 -0800 |
| committer | Behdad Esfahbod <behdad@behdad.org> | Sat Feb 25 13:32:20 2017 -0800 |
| tree | 76a4a5ce2b929e1c22938c053a37b074c3d58ff5 | |
| parent | 6685d281d6f50bf046bbfef4a5263e15d15f2f02 [diff] |
Fix buffer-overrun with Bengali reph positioning code This has no security implications whatsoever since we always keep and extra element at the end of buffer, just in case. Discovered by oss-fuzz CC https://github.com/behdad/harfbuzz/issues/139 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660
diff --git a/src/hb-ot-shape-complex-indic.cc b/src/hb-ot-shape-complex-indic.cc index b48fb56..ec12ce6 100644 --- a/src/hb-ot-shape-complex-indic.cc +++ b/src/hb-ot-shape-complex-indic.cc
@@ -1497,7 +1497,7 @@ if (reph_pos == REPH_POS_AFTER_SUB) { new_reph_pos = base; - while (new_reph_pos < end && + while (new_reph_pos + 1 < end && !( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD)))) new_reph_pos++; if (new_reph_pos < end)