Fix buffer-overrun with Bengali reph positioning code

This has no security implications whatsoever since we always keep
and extra element at the end of buffer, just in case.

Discovered by oss-fuzz
CC https://github.com/behdad/harfbuzz/issues/139
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660
pull/430/head
Behdad Esfahbod 8 years ago
parent 6685d281d6
commit 85630996b8
  1. 2
      src/hb-ot-shape-complex-indic.cc

@ -1497,7 +1497,7 @@ final_reordering_syllable (const hb_ot_shape_plan_t *plan,
if (reph_pos == REPH_POS_AFTER_SUB) if (reph_pos == REPH_POS_AFTER_SUB)
{ {
new_reph_pos = base; new_reph_pos = base;
while (new_reph_pos < end && while (new_reph_pos + 1 < end &&
!( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD)))) !( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD))))
new_reph_pos++; new_reph_pos++;
if (new_reph_pos < end) if (new_reph_pos < end)

Loading…
Cancel
Save