[hdmx] Fix bounds checking

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351
author: Behdad Esfahbod <behdad@behdad.org> 2018-11-16 02:02:24 -0500
committer: Behdad Esfahbod <behdad@behdad.org> 2018-11-16 02:02:24 -0500
commit: cb4bf85b14afb3761a85e3da130f2844ac94a49d (patch)
tree: e37f48f2729a545b445811a2f7bad6d427708e51
parent: af727b4e629f8b07d7afb809be69d053827f6a51 (diff)
1 files changed, 5 insertions, 6 deletions
diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh
index 2eed85c0..0fea24bc 100644
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@@ -66,12 +66,9 @@ struct DeviceRecord
       if (unlikely (i >= len ())) return nullptr;
       hb_codepoint_t gid = this->subset_plan->glyphs [i];
 
-      const HBUINT8* width = &(this->source_device_record->widthsZ[gid]);
-
-      if (width < ((const HBUINT8 *) this->source_device_record) + sizeDeviceRecord)
-	return width;
-      else
-	return nullptr;
+      if (gid >= sizeDeviceRecord - DeviceRecord::min_size)
+        return nullptr;
+      return &(this->source_device_record->widthsZ[gid]);
     }
   };
 
@@ -135,6 +132,8 @@ struct hdmx
 
   inline const DeviceRecord& operator [] (unsigned int i) const
   {
+    /* XXX Null(DeviceRecord) is NOT safe as it's num-glyphs lengthed.
+     * https://github.com/harfbuzz/harfbuzz/issues/1300 */
     if (unlikely (i >= numRecords)) return Null (DeviceRecord);
     return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord);
   }
author	Behdad Esfahbod <behdad@behdad.org>	2018-11-16 02:02:24 -0500
committer	Behdad Esfahbod <behdad@behdad.org>	2018-11-16 02:02:24 -0500
commit	cb4bf85b14afb3761a85e3da130f2844ac94a49d (patch)
tree	e37f48f2729a545b445811a2f7bad6d427708e51
parent	af727b4e629f8b07d7afb809be69d053827f6a51 (diff)