casa-mp-base

--- src/gui/text/qfontengine.cpp.orig

+++ src/gui/text/qfontengine.cpp

@@ -69,6 +69,16 @@

     }

 }

+template<typename T>

+static inline bool qSafeFromBigEndian(const uchar *source, const uchar *end, T *output)

+{

+    if (source + sizeof(T) > end)

+        return false;

+

+    *output = qFromBigEndian<T>(source);

+    return true;

+}

+

 // Harfbuzz helper functions

 static HB_Bool hb_stringToGlyphs(HB_Font font, const HB_UChar16 *string, hb_uint32 length, HB_Glyph *glyphs, hb_uint32 *numGlyphs, HB_Bool rightToLeft)

@@ -808,26 +818,38 @@

         return;

     const uchar *table = reinterpret_cast<const uchar *>(tab.constData());

+    const uchar *end = table + tab.size();

+

+    quint16 version;

+    if (!qSafeFromBigEndian(table, end, &version))

+        return;

-    unsigned short version = qFromBigEndian<quint16>(table);

     if (version != 0) {

 //        qDebug("wrong version");

        return;

     }

-    unsigned short numTables = qFromBigEndian<quint16>(table + 2);

+    quint16 numTables;

+    if (!qSafeFromBigEndian(table + 2, end, &numTables))

+        return;

+

     {

         int offset = 4;

         for(int i = 0; i < numTables; ++i) {

-            if (offset + 6 > tab.size()) {

-//                qDebug("offset out of bounds");

-                goto end;

-            }

             const uchar *header = table + offset;

-            ushort version = qFromBigEndian<quint16>(header);

-            ushort length = qFromBigEndian<quint16>(header+2);

-            ushort coverage = qFromBigEndian<quint16>(header+4);

+            quint16 version;

+            if (!qSafeFromBigEndian(header, end, &version))

+                goto end;

+

+            quint16 length;

+            if (!qSafeFromBigEndian(header + 2, end, &length))

+                goto end;

+

+            quint16 coverage;

+            if (!qSafeFromBigEndian(header + 4, end, &coverage))

+                goto end;

+

 //            qDebug("subtable: version=%d, coverage=%x",version, coverage);

             if(version == 0 && coverage == 0x0001) {

                 if (offset + length > tab.size()) {

@@ -836,7 +858,10 @@

                 }

                 const uchar *data = table + offset + 6;

-                ushort nPairs = qFromBigEndian<quint16>(data);

+                quint16 nPairs;

+                if (!qSafeFromBigEndian(data, end, &nPairs))

+                    goto end;

+

                 if(nPairs * 6 + 8 > length - 6) {

 //                    qDebug("corrupt table!");

                     // corrupt table

@@ -846,8 +871,21 @@

                 int off = 8;

                 for(int i = 0; i < nPairs; ++i) {

                     QFontEngine::KernPair p;

-                    p.left_right = (((uint)qFromBigEndian<quint16>(data+off)) << 16) + qFromBigEndian<quint16>(data+off+2);

-                    p.adjust = QFixed(((int)(short)qFromBigEndian<quint16>(data+off+4))) / scalingFactor;

+

+                    quint16 tmp;

+                    if (!qSafeFromBigEndian(data + off, end, &tmp))

+                        goto end;

+

+                    p.left_right = uint(tmp) << 16;