From d49caf1f77743550d83fc7feced1293ba34a4e99 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 2 Mar 2009 15:16:11 +0330
Subject: [PATCH] [opentype] Protect against illegal access for arrays of
 length zero

---
 src/harfbuzz-gpos.c | 22 ++++++++++++++++++----
 src/harfbuzz-gsub.c |  6 ++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c
index 2961940..c78dcba 100644
--- a/src/harfbuzz-gpos.c
+++ b/src/harfbuzz-gpos.c
@@ -2080,9 +2080,13 @@ static void  Free_BaseArray( HB_BaseArray*  ba,
   if ( ba->BaseRecord )
   {
     br    = ba->BaseRecord;
-    bans = br[0].BaseAnchor;
 
-    FREE( bans );
+    if ( ba->BaseCount )
+    {
+      bans = br[0].BaseAnchor;
+      FREE( bans );
+    }
+
     FREE( br );
   }
 }
@@ -2811,9 +2815,13 @@ static void  Free_Mark2Array( HB_Mark2Array*  m2a,
   if ( m2a->Mark2Record )
   {
     m2r   = m2a->Mark2Record;
-    m2ans = m2r[0].Mark2Anchor;
 
-    FREE( m2ans );
+    if ( m2a->Mark2Count )
+    {
+      m2ans = m2r[0].Mark2Anchor;
+      FREE( m2ans );
+    }
+
     FREE( m2r );
   }
 }
@@ -3857,6 +3865,9 @@ static HB_Error  Lookup_ContextPos2( GPOS_Instance*          gpi,
   if ( error )
     return error;
 
+  if (cpf2->MaxContextLength < 1)
+    return HB_Err_Not_Covered;
+
   if ( ALLOC_ARRAY( classes, cpf2->MaxContextLength, HB_UShort ) )
     return error;
 
@@ -5139,6 +5150,9 @@ static HB_Error  Lookup_ChainContextPos2(
     return error;
   known_backtrack_classes = 0;
 
+  if (ccpf2->MaxInputLength < 1)
+    return HB_Err_Not_Covered;
+
   if ( ALLOC_ARRAY( input_classes, ccpf2->MaxInputLength, HB_UShort ) )
     goto End3;
   known_input_classes = 1;
diff --git a/src/harfbuzz-gsub.c b/src/harfbuzz-gsub.c
index f504bf0..c05f20d 100644
--- a/src/harfbuzz-gsub.c
+++ b/src/harfbuzz-gsub.c
@@ -1896,6 +1896,9 @@ static HB_Error  Lookup_ContextSubst2( HB_GSUBHeader*          gsub,
   if ( error )
     return error;
 
+  if (csf2->MaxContextLength < 1)
+    return HB_Err_Not_Covered;
+
   if ( ALLOC_ARRAY( classes, csf2->MaxContextLength, HB_UShort ) )
     return error;
 
@@ -3159,6 +3162,9 @@ static HB_Error  Lookup_ChainContextSubst2( HB_GSUBHeader*               gsub,
     return error;
   known_backtrack_classes = 0;
 
+  if (ccsf2->MaxInputLength < 1)
+    return HB_Err_Not_Covered;
+
   if ( ALLOC_ARRAY( input_classes, ccsf2->MaxInputLength, HB_UShort ) )
     goto End3;
   known_input_classes = 1;
-- 
2.7.4