| Index: third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
|
| diff --git a/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh b/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
|
| index 546ff4b0fde320d7a18ab04451e035923a3b9ae5..fc9eed0063a0796a3f376e1336b9e6c89b311269 100644
|
| --- a/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
|
| +++ b/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
|
| @@ -1479,6 +1479,7 @@ struct ContextFormat3
|
| TRACE_SANITIZE (this);
|
| if (!c->check_struct (this)) return TRACE_RETURN (false);
|
| unsigned int count = glyphCount;
|
| + if (!count) return TRACE_RETURN (false); /* We want to access coverage[0] freely. */
|
| if (!c->check_array (coverage, coverage[0].static_size, count)) return TRACE_RETURN (false);
|
| for (unsigned int i = 0; i < count; i++)
|
| if (!coverage[i].sanitize (c, this)) return TRACE_RETURN (false);
|
| @@ -2090,6 +2091,7 @@ struct ChainContextFormat3
|
| if (!backtrack.sanitize (c, this)) return TRACE_RETURN (false);
|
| OffsetArrayOf<Coverage> &input = StructAfter<OffsetArrayOf<Coverage> > (backtrack);
|
| if (!input.sanitize (c, this)) return TRACE_RETURN (false);
|
| + if (!input.len) return TRACE_RETURN (false); /* To be consistent with Context. */
|
| OffsetArrayOf<Coverage> &lookahead = StructAfter<OffsetArrayOf<Coverage> > (input);
|
| if (!lookahead.sanitize (c, this)) return TRACE_RETURN (false);
|
| ArrayOf<LookupRecord> &lookup = StructAfter<ArrayOf<LookupRecord> > (lookahead);
|
|
|
Chromium Code Reviews
Issue 816543004:
Update from https://crrev.com/308996 (Closed)
Base URL: git@github.com:domokit/mojo.git@master