44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a - third_party/harfbuzz

commit	44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a	[log] [tgz]
author	jfkthame <jfkthame@gmail.com>	Fri Feb 17 03:03:24 2017 +0000
committer	Behdad Esfahbod <behdad@behdad.org>	Thu Feb 16 19:03:24 2017 -0800
tree	d3cc0f4bff1d117ac9b20430b627aaf7b7b19b28
parent	45766b673f427bb791c9d5886cadedfac0447066 [diff]

Guard against underflow when adjusting length (#421)

* Guard against underflow when adjusting length

With the fuzz-testcase in mozilla bug 1295299, we end up with a recursed lookup that removes 3 items, when `match_positions[idx]` is 0, which results in (unsigned) `end` wrapping to a huge value.

Making `end` a signed int is probably the simplest route to a fix.

Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1295299.

* Add testcase for #421.

src/hb-ot-layout-gsubgpos-private.hh[diff]
test/shaping/fonts/sha1sum/558661aa659912f4d30ecd27bd09835171a8e2b0.ttf[Added - diff]
test/shaping/tests/fuzzed.tests[diff]

3 files changed

tree: d3cc0f4bff1d117ac9b20430b627aaf7b7b19b28

.ci/
docs/
m4/
src/
test/
util/
win32/
README.md ⇨ README
.travis.yml
appveyor.yml
AUTHORS
autogen.sh
BUILD.md
configure.ac
COPYING
git.mk
harfbuzz.doap
Makefile.am
NEWS
README
README.python
THANKS
TODO