[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[m17n-list] [PATCH] Fix buffer overruns in run_stages index array
From: |
Paul Eggert |
Subject: |
[m17n-list] [PATCH] Fix buffer overruns in run_stages index array |
Date: |
Fri, 13 Nov 2015 11:39:20 -0800 |
* m17n-flt.c (run_stages): Fix off-by-one bug in computing array
length; here, TO_POS is inclusive, not exclusive.
Also, do not overrun buffer if g_indices[len - 1] == -1.
---
src/ChangeLog | 7 +++++++
src/m17n-flt.c | 4 +++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/ChangeLog b/src/ChangeLog
index 42dff3e..26982e8 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,10 @@
+2015-11-13 Paul Eggert <address@hidden>
+
+ Fix buffer overruns in run_stages index array
+ * m17n-flt.c (run_stages): Fix off-by-one bug in computing array
+ length; here, TO_POS is inclusive, not exclusive.
+ Also, do not overrun buffer if g_indices[len - 1] == -1.
+
2015-08-29 K. Handa <address@hidden>
* internal-gui.h (MGlyph): New member libotf_positioning_type.
diff --git a/src/m17n-flt.c b/src/m17n-flt.c
index bc1a0f2..be05eca 100644
--- a/src/m17n-flt.c
+++ b/src/m17n-flt.c
@@ -2287,7 +2287,7 @@ run_stages (MFLTGlyphString *gstring, int from, int to,
from_pos = GREF (ctx->in, from)->from;
to_pos = GREF (ctx->in, to - 1)->to;
- len = to_pos - from_pos;
+ len = to_pos - from_pos + 1;
buf = *(ctx->in);
buf.glyphs = NULL;
@@ -2427,6 +2427,8 @@ run_stages (MFLTGlyphString *gstring, int from, int to,
int this_from;
for (i++; i < len && g_indices[i] < 0; i++);
+ if (! (i < len))
+ break;
j = g_indices[i];
g = GREF (ctx->out, j);
this_from = g->from;
--
2.1.0
- [m17n-list] [PATCH] Fix buffer overruns in run_stages index array,
Paul Eggert <=