[HarfBuzz] harfbuzz: Branch 'master'

Behdad Esfahbod Mon, 23 Jul 2018 14:45:00 -0700

 src/hb-open-type-private.hh |   13 ++++++++++---
 src/hb-static.cc            |    4 +++-
 2 files changed, 13 insertions(+), 4 deletions(-)


New commits:
commit 61eddbd8ef64dc66e3c42723533d53967e61c9af
Author: Behdad Esfahbod <beh...@behdad.org>
Date:   Mon Jul 23 14:44:10 2018 -0700

    Fix infinite loop in loading num_glyphs within sanitizer

diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh
index e2a13556..a143cc00 100644
--- a/src/hb-open-type-private.hh
+++ b/src/hb-open-type-private.hh
@@ -164,7 +164,8 @@ struct hb_sanitize_context_t :
        start (nullptr), end (nullptr),
        writable (false), edit_count (0), max_ops (0),
        blob (nullptr),
-       num_glyphs (0) {}
+       num_glyphs (65536),
+       num_glyphs_set (false) {}
 
   inline const char *get_name (void) { return "SANITIZE"; }
   template <typename T, typename F>
@@ -182,7 +183,11 @@ struct hb_sanitize_context_t :
     this->writable = false;
   }
 
-  inline void set_num_glyphs (unsigned int num_glyphs_) { num_glyphs = 
num_glyphs_; }
+  inline void set_num_glyphs (unsigned int num_glyphs_)
+  {
+    num_glyphs = num_glyphs_;
+    num_glyphs_set = true;
+  }
   inline unsigned int get_num_glyphs (void) { return num_glyphs; }
 
   inline void start_processing (void)
@@ -348,7 +353,8 @@ struct hb_sanitize_context_t :
   template <typename Type>
   inline hb_blob_t *reference_table (const hb_face_t *face, hb_tag_t tableTag 
= Type::tableTag)
   {
-    set_num_glyphs (face->get_num_glyphs ());
+    if (!num_glyphs_set)
+      set_num_glyphs (face->get_num_glyphs ());
     return sanitize_blob<Type> (face->reference_table (tableTag));
   }
 
@@ -360,6 +366,7 @@ struct hb_sanitize_context_t :
   mutable int max_ops;
   hb_blob_t *blob;
   unsigned int num_glyphs;
+  bool  num_glyphs_set;
 };
 
 
diff --git a/src/hb-static.cc b/src/hb-static.cc
index bc4bf547..e6920e7e 100644
--- a/src/hb-static.cc
+++ b/src/hb-static.cc
@@ -38,7 +38,9 @@ hb_vector_size_impl_t const _hb_NullPool[(HB_NULL_POOL_SIZE + 
sizeof (hb_vector_
 void
 hb_face_t::load_num_glyphs (void) const
 {
-  hb_blob_t *maxp_blob = OT::hb_sanitize_context_t().reference_table<OT::maxp> 
(this);
+  OT::hb_sanitize_context_t c = OT::hb_sanitize_context_t();
+  c.set_num_glyphs (0); /* So we don't recurse ad infinitum. */
+  hb_blob_t *maxp_blob = c.reference_table<OT::maxp> (this);
   const OT::maxp *maxp_table = maxp_blob->as<OT::maxp> ();
   num_glyphs = maxp_table->get_num_glyphs ();
   hb_blob_destroy (maxp_blob);
_______________________________________________
HarfBuzz mailing list
HarfBuzz@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/harfbuzz

[HarfBuzz] harfbuzz: Branch 'master'

Reply via email to