src/hb-ot-shape-normalize.cc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 30eab97a0072fbc22d353082249e0e6e546cd86b
Author: Behdad Esfahbod <beh...@behdad.org>
Date: Fri Oct 26 21:54:07 2018 -0700
Fix invalid memory read
Buffer might be relocated inside replace_glyphs().
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117
diff --git a/src/hb-ot-shape-normalize.cc b/src/hb-ot-shape-normalize.cc
index 2164f7ad..d5600f9f 100644
--- a/src/hb-ot-shape-normalize.cc
+++ b/src/hb-ot-shape-normalize.cc
@@ -225,7 +225,8 @@ handle_variation_selector_cluster (const
hb_ot_shape_normalize_context_t *c,
/* The next two lines are some ugly lines... But work. */
if (font->get_variation_glyph (buffer->cur().codepoint,
buffer->cur(+1).codepoint, &buffer->cur().glyph_index()))
{
- buffer->replace_glyphs (2, 1, &buffer->cur().codepoint);
+ hb_codepoint_t unicode = buffer->cur().codepoint;
+ buffer->replace_glyphs (2, 1, &unicode);
}
else
{
_______________________________________________
HarfBuzz mailing list
HarfBuzz@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/harfbuzz
