From f49b5da0e7cfb1f4123cc6402b6a7c2d7ab2d3da Mon Sep 17 00:00:00 2001
From: bae <unknown>
Date: Wed, 3 Apr 2019 03:51:25 +0100
Subject: [PATCH] 8219066: Fuzzing TrueType fonts: setCurrGlyphID()
 Reviewed-by: andrew, mbalao Contributed-by: Martin Balao <mbalao@redhat.com>

---
 .../sun/font/layout/ContextualSubstSubtables.cpp       |  5 ++++-
 src/share/native/sun/font/layout/GlyphIterator.cpp     | 10 ++++++++++
 .../native/sun/font/layout/SubstitutionLookups.cpp     |  5 ++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp
index 8beae2730..c5c322076 100644
--- a/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp
+++ b/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp
@@ -67,7 +67,10 @@ void ContextualSubstitutionBase::applySubstitutionLookups(
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArrayPtr[subst].lookupListIndex);
 
         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }
 
         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }
diff --git a/src/share/native/sun/font/layout/GlyphIterator.cpp b/src/share/native/sun/font/layout/GlyphIterator.cpp
index 87f6d5974..eed52fc21 100644
--- a/src/share/native/sun/font/layout/GlyphIterator.cpp
+++ b/src/share/native/sun/font/layout/GlyphIterator.cpp
@@ -224,6 +224,16 @@ void GlyphIterator::getCursiveExitPoint(LEPoint &exitPoint) const
 
 void GlyphIterator::setCurrGlyphID(TTGlyphID glyphID)
 {
+    if (direction < 0) {
+        if (position <= nextLimit || position >= prevLimit) {
+            return;
+        }
+    } else {
+        if (position <= prevLimit || position >= nextLimit) {
+            return;
+        }
+    }
+
     LEGlyphID glyph = glyphStorage[position];
 
     glyphStorage[position] = LE_SET_GLYPH(glyph, glyphID);
diff --git a/src/share/native/sun/font/layout/SubstitutionLookups.cpp b/src/share/native/sun/font/layout/SubstitutionLookups.cpp
index 7103a3fbb..3a0e18f75 100644
--- a/src/share/native/sun/font/layout/SubstitutionLookups.cpp
+++ b/src/share/native/sun/font/layout/SubstitutionLookups.cpp
@@ -67,7 +67,10 @@ void SubstitutionLookup::applySubstitutionLookups(
         le_uint16 lookupListIndex = SWAPW(substLookupRecordArray[subst].lookupListIndex);
 
         tempIterator.setCurrStreamPosition(position);
-        tempIterator.next(sequenceIndex);
+        if (!tempIterator.next(sequenceIndex)) {
+            success = LE_INTERNAL_ERROR;
+            return;
+        }
 
         lookupProcessor->applySingleLookup(lookupListIndex, &tempIterator, fontInstance, success);
     }
-- 
GitLab