From a998eeee4ad7bba4a1574c9735618891b6bd0948 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 20 Feb 2018 16:48:52 -0800
Subject: [PATCH] [subset] sanity check glyph data writes during glyph
 subsetting to ensure they are inbounds.

---
 src/hb-subset-glyf.cc | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/hb-subset-glyf.cc b/src/hb-subset-glyf.cc
index c337e65b..d57b4115 100644
--- a/src/hb-subset-glyf.cc
+++ b/src/hb-subset-glyf.cc
@@ -89,7 +89,6 @@ _write_loca_entry (unsigned int  id,
   return false;
 }
 
-
 static void
 _update_components (hb_subset_plan_t * plan,
 		    char * glyph_start,
@@ -124,7 +123,6 @@ _write_glyf_and_loca_prime (hb_subset_plan_t              *plan,
                             unsigned int                   loca_prime_size,
                             char                          *loca_prime_data /* OUT */)
 {
-  // TODO(grieger): Sanity check writes to make sure they are in-bounds.
   hb_prealloced_array_t<hb_codepoint_t> &glyph_ids = plan->gids_to_retain_sorted;
   char *glyf_prime_data_next = glyf_prime_data;
 
@@ -136,6 +134,15 @@ _write_glyf_and_loca_prime (hb_subset_plan_t              *plan,
       end_offset = start_offset = 0;
 
     int length = end_offset - start_offset;
+
+    if (glyf_prime_data_next + length > glyf_prime_data + glyf_prime_size)
+    {
+      DEBUG_MSG (SUBSET,
+                 nullptr,
+                 "WARNING: Attempted to write an out of bounds glyph entry for gid %d",
+                 i);
+      return false;
+    }
     memcpy (glyf_prime_data_next, glyf_data + start_offset, length);
 
     success = success && _write_loca_entry (i,
-- 
GitLab