Fix buffer-overrun with Bengali reph positioning code

This has no security implications whatsoever since we always keep and extra element at the end of buffer, just in case. Discovered by oss-fuzz CC https://github.com/behdad/harfbuzz/issues/139 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660

Fix buffer-overrun with Bengali reph positioning code
This has no security implications whatsoever since we always keep and extra element at the end of buffer, just in case. Discovered by oss-fuzz CC https://github.com/behdad/harfbuzz/issues/139 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660
85630996 · Behdad Esfahbod · 6685d281 · 85630996
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

src/hb-ot-shape-complex-indic.cc src/hb-ot-shape-complex-indic.cc +1 -1

未找到文件。
--- a/src/hb-ot-shape-complex-indic.cc
+++ b/src/hb-ot-shape-complex-indic.cc
@@ -1497,7 +1497,7 @@ final_reordering_syllable (const hb_ot_shape_plan_t *plan,
    if (reph_pos == REPH_POS_AFTER_SUB)
    {
      new_reph_pos = base;
-      while (new_reph_pos < end &&
+      while (new_reph_pos + 1 < end &&
 	     !( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD))))
 	new_reph_pos++;
      if (new_reph_pos < end)