提交 1c635038 编写于 作者: L lancer

Description: fix CVE-2023-25193

IssueNo: https://gitee.com/openharmony/third_party_harfbuzz/issues/I6S0VH
Feature or Bugfix: Bugfix
Binary Source:No
Signed-off-by: Nlancer <haoshuo@huawei.com>
上级 41a011c8
......@@ -307,7 +307,8 @@ typedef enum { /*< flags >*/
HB_BUFFER_FLAG_EOT = 0x00000002u, /* End-of-text */
HB_BUFFER_FLAG_PRESERVE_DEFAULT_IGNORABLES = 0x00000004u,
HB_BUFFER_FLAG_REMOVE_DEFAULT_IGNORABLES = 0x00000008u,
HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u
HB_BUFFER_FLAG_DO_NOT_INSERT_DOTTED_CIRCLE = 0x00000010u,
HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT = 0x00000040u
} hb_buffer_flags_t;
HB_EXTERN void
......
......@@ -535,7 +535,17 @@ struct hb_ot_apply_context_t :
bool prev ()
{
assert (num_items > 0);
while (idx > num_items - 1)
/* The alternate condition below is faster at string boundaries,
* but produces subpar "unsafe-to-concat" values. */
unsigned stop = num_items - 1;
if (c->buffer->flags & HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT)
stop = 1 - 1;
/*When looking back, limit how far we search; this function is mostly
* used for looking back for base glyphs when attaching marks. If we
* don't limit, we can get O(n^2) behavior where n is the number of
* consecutive marks. */
stop = (unsigned) hb_max ((int) stop, (int) idx - HB_MAX_CONTEXT_LENGTH);
while (idx > stop)
{
idx--;
const hb_glyph_info_t &info = c->buffer->out_info[idx];
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册