GNOME Bugzilla – Bug 118592
Length overruns when skipping glyphs
Last modified: 2004-12-22 21:47:04 UTC
[ Part of bug 118472, reported by Kailash C. Chowksey ] When checking for glyphs that should be skipped because of LookupFlags, the code is typically like: for ( numlig = ls->LigatureSet[index].LigatureCount; numlig; numlig--, lig++ ) { if ( in->pos + lig->ComponentCount > in->length ) continue; /* Not enough glyphs in input */ [....] for ( i = 1, j = 1; i < lig->ComponentCount; i++, j++ ) { while ( CHECK_Property( gdef, s_in[j], flags, &property ) ) { if ( error && error != TTO_Err_Not_Covered ) return error; if ( in->pos + j < in->length ) j++; else break; } [...] if ( s_in[j] != c[i - 1] ) break; } if ( i == lig->ComponentCount ) { [ Apply this ligature ] } } The initial length check is an initial approximation and probably useful as a speedup, but not sufficient because we are skipping glyphs; also there is an off-by-one There are various ways that this could be fixed up. I think the cleanest would be: for ( numlig = ls->LigatureSet[index].LigatureCount; numlig; numlig--, lig++ ) { if ( in->pos + lig->ComponentCount > in->length ) continue; /* Not enough glyphs in input */ [...] for ( i = 1, j = 1; i < lig->ComponentCount; i++, j++ ) { if ( in->pos + j == in->length ) goto next_ligature; while ( CHECK_Property( gdef, s_in[j], flags, &property ) ) { if ( error && error != TTO_Err_Not_Covered ) return error; j++; if ( in->pos + j == in->length ) goto next_ligature; } [...] if ( s_in[j] != c[i - 1] ) goto next_ligature; } [ Apply this ligature ] next_ligature: ; } There are, by a rough count, about a dozen places that need fixing in ftxgsub.c and a dozen more in ftxgpos.c.
Created attachment 19100 [details] [review] patch to ftxgsub.c
I have thoroughly tested the above patch for ftxgsub.c using all kinds of GSUB lookups affected by this patch. Please see http://www.arbornet.org/~klchxbec/example.ttx for testcases that were used to test this patch. I cannot test fixes to ftxgpos.c due to some bugs in TTX. Please consider checking-in only the ftxgsub.c fixes for now since they fix a majority of rendering problems for indic languages.
I'd really rather have entirely untested fixes for GPOS than leave ftxgsub.c and ftxgpos.c inconsistent. Pushing off to 1.2.5 since I don't have time to review in detail at the moment, and it's a rather big patch to apply right before a release.
The interrnals of ftxgsub.c and ftxgpos.c changed a fair bit in Pango-1.4 so I had to start over pretty much from scratch. I also rewrote some of the index handling to reduce the total amount of code and complexity. Mon Jul 19 16:29:45 2004 Owen Taylor <otaylor@redhat.com> * pango/opentype/ftxgsub.c pango/opentype/ftxgpos.c: Fix pervasive buffer overruns when skipping glyphs when matching contexts. (#118592, Kailash C. Chowksey)
Created attachment 29670 [details] [review] Patch as applied Here's the patch I applied. Testing (even just of the GSUB portions) would be appreciated.