From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Sat, 27 Oct 2018 07:20:53 +0000 (+0330)
Subject: [ot-color/png] sbix runtime memory check
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6a38fd68a8f4e66d9248e0c943ae3a1cf45c521b;p=platform%2Fupstream%2FlibHarfBuzzSharp.git

[ot-color/png] sbix runtime memory check
---

diff --git a/src/hb-ot-color-cbdt-table.hh b/src/hb-ot-color-cbdt-table.hh
index 0f64577..770fe3e 100644
--- a/src/hb-ot-color-cbdt-table.hh
+++ b/src/hb-ot-color-cbdt-table.hh
@@ -452,7 +452,7 @@ struct CBDT
     }
 
     inline void dump (void (*callback) (const uint8_t* data, unsigned int length,
-        unsigned int group, unsigned int gid)) const
+					unsigned int group, unsigned int gid)) const
     {
       if (!cblc)
 	return;  // Not a color bitmap font.
@@ -504,15 +504,13 @@ struct CBDT
       }
     }
 
-    inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t  glyph_id,
-						unsigned int    requested_x_ppem,
-						unsigned int    requested_y_ppem,
-						unsigned int   *strike_x_ppem,
-						unsigned int   *strike_y_ppem) const
+    inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t  glyph_id HB_UNUSED,
+						unsigned int    requested_x_ppem HB_UNUSED,
+						unsigned int    requested_y_ppem HB_UNUSED,
+						unsigned int   *strike_x_ppem HB_UNUSED,
+						unsigned int   *strike_y_ppem HB_UNUSED) const
     {
-//       if (unlikely (cbdt_len == 0))
-        return hb_blob_get_empty ();
-//       return svg->get_glyph_entry (glyph_id).reference_blob (svg_blob, svg->svgDocEntries);
+      return hb_blob_get_empty ();
     }
 
     inline bool has_data () const
diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
index 97eac9b..cba62f0 100644
--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
@@ -82,6 +82,7 @@ struct SBIXStrike
 
   inline hb_blob_t *get_glyph_blob (unsigned int  glyph_id,
 				    hb_blob_t    *sbix_blob,
+				    unsigned int  sbix_len,
 				    unsigned int  strike_offset,
 				    unsigned int *x_offset,
 				    unsigned int *y_offset,
@@ -91,6 +92,9 @@ struct SBIXStrike
     if (imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] == 0)
       return hb_blob_get_empty ();
 
+    if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
+      return hb_blob_get_empty ();
+
     const SBIXGlyph *glyph = &(this+imageOffsetsZ[glyph_id]);
     if (unlikely (glyph->graphicType == HB_TAG ('d','u','p','e') &&
 		  blob_size (glyph_id) >= 2))
@@ -100,6 +104,8 @@ struct SBIXStrike
       {
 	glyph = &(this+imageOffsetsZ[new_glyph_id]);
 	glyph_id = new_glyph_id;
+        if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
+          return hb_blob_get_empty ();
       }
     }
     if (unlikely (requested_file_type != glyph->graphicType))
@@ -155,18 +161,18 @@ struct sbix
 	const SBIXStrike &strike = sbix_table+sbix_table->strikes[group];
 	for (unsigned int glyph_id = 0; glyph_id < num_glyphs; glyph_id++)
 	{
-	  unsigned int x_offset, y_offset;
 	  hb_tag_t tag;
 	  hb_blob_t *blob;
-	  blob = strike.get_glyph_blob (glyph_id, sbix_blob, sbix_table->strikes[group],
-					&x_offset, &x_offset,
+	  blob = strike.get_glyph_blob (glyph_id, sbix_blob, sbix_len,
+					sbix_table->strikes[group],
+					nullptr, nullptr,
 					HB_TAG('p','n','g',' '), num_glyphs);
 	  if (hb_blob_get_length (blob)) callback (blob, group, glyph_id);
 	}
       }
     }
 
-    inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t  glyph_id,
+    inline hb_blob_t *reference_blob_for_glyph (hb_codepoint_t  glyph_id,
 						unsigned int    ptem HB_UNUSED,
 						unsigned int    requested_ppem,
 						unsigned int    requested_file_type,
@@ -187,7 +193,8 @@ struct sbix
       const SBIXStrike &strike = sbix_table+sbix_table->strikes[group];
       if (available_x_ppem) *available_x_ppem = strike.get_ppem ();
       if (available_y_ppem) *available_y_ppem = strike.get_ppem ();
-      return strike.get_glyph_blob (glyph_id, sbix_blob, sbix_table->strikes[group],
+      return strike.get_glyph_blob (glyph_id, sbix_blob, sbix_len,
+				    sbix_table->strikes[group],
 				    nullptr, nullptr, requested_file_type, num_glyphs);
     }
 
@@ -200,7 +207,6 @@ struct sbix
 
     unsigned int sbix_len;
     unsigned int num_glyphs;
-    hb_vector_t<hb_vector_t<unsigned int> > data_offsets;
   };
 
   protected:
diff --git a/src/hb-ot-color-svg-table.hh b/src/hb-ot-color-svg-table.hh
index 4ef3807..5238ad4 100644
--- a/src/hb-ot-color-svg-table.hh
+++ b/src/hb-ot-color-svg-table.hh
@@ -50,7 +50,7 @@ struct SVGDocumentIndexEntry
     return b->cmp (*a);
   }
 
-  inline hb_blob_t* reference_blob (hb_blob_t *svg_blob, unsigned int index_offset) const
+  inline hb_blob_t *reference_blob (hb_blob_t *svg_blob, unsigned int index_offset) const
   {
     if (svgDocLength == 0) return hb_blob_get_empty ();
     return hb_blob_create_sub_blob (svg_blob, (unsigned int) svgDoc + index_offset,
@@ -95,7 +95,7 @@ struct SVG
       hb_blob_destroy (svg_blob);
     }
 
-    inline hb_blob_t* reference_blob_for_glyph (hb_codepoint_t glyph_id) const
+    inline hb_blob_t *reference_blob_for_glyph (hb_codepoint_t glyph_id) const
     {
       if (unlikely (svg_len == 0))
         return hb_blob_get_empty ();