[kerx/morx] Make sure object length is sanitized before accessing it

6 years ago · 8dcc1913a1
parent 70d80c90fe
commit 8dcc1913a1
2 changed files with 10 additions and 0 deletions
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@ -962,6 +962,11 @@ struct KerxTable
    unsigned int count = thiz()->tableCount;
    for (unsigned int i = 0; i < count; i++)
    {
+      if (unlikely (!st->u.header.sanitize (c)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
      /* OpenType kern table has 2-byte subtable lengths.  That's limiting.
       * MS implementation also only supports one subtable, of format 0,
       * anyway.  Certain versions of some fonts, like Calibry, contain
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@ -1061,6 +1061,11 @@ struct Chain
    unsigned int count = subtableCount;
    for (unsigned int i = 0; i < count; i++)
    {
+      if (unlikely (!c->check_struct (subtable)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
      c->set_object (*subtable);
      if (!subtable->sanitize (c))
 	return_trace (false);