diff --git a/ChangeLog b/ChangeLog index d1b65595d..56b77d74d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2014-03-17 Werner Lemberg + + Fix Savannah bug #41869. + + This works around a problem with HarfBuzz (<= 0.9.26), which doesn't + validate glyph indices returned by + `hb_ot_layout_lookup_collect_glyphs'. + + * src/autofit/hbshim.c (af_get_coverage): Guard `idx'. + + * docs/CHANGES: Updated. + 2014-03-14 Werner Lemberg * builds/unix/configure.raw: Don't show error messages of `which'. diff --git a/docs/CHANGES b/docs/CHANGES index 803f02dc6..69e50b423 100644 --- a/docs/CHANGES +++ b/docs/CHANGES @@ -1,11 +1,20 @@ +CHANGES BETWEEN 2.5.3 and 2.5.4 + + I. IMPORTANT BUG FIXES + + - The new auto-hinter code using HarfBuzz crashed for some invalid + fonts. + + +====================================================================== CHANGES BETWEEN 2.5.2 and 2.5.3 I. IMPORTANT BUG FIXES - - A vulnerability was identified and fixed in the new CFF driver - (cf. http://savannah.nongnu.org/bugs/?41697; it doesn't have a - CVE number yet). All users should upgrade. + - A vulnerability (CVE-2014-2240) was identified and fixed in the + new CFF driver (cf. http://savannah.nongnu.org/bugs/?41697). + All users should upgrade. - More bug fixes related to correct positioning of composite glyphs. diff --git a/src/autofit/hbshim.c b/src/autofit/hbshim.c index 11fb743e8..2eda8d7ce 100644 --- a/src/autofit/hbshim.c +++ b/src/autofit/hbshim.c @@ -347,6 +347,11 @@ count++; #endif + /* HarfBuzz 0.9.26 and older doesn't validate glyph indices */ + /* returned by `hb_ot_layout_lookup_collect_glyphs'... */ + if ( idx >= (hb_codepoint_t)globals->glyph_count ) + continue; + if ( gstyles[idx] == AF_STYLE_UNASSIGNED ) gstyles[idx] = (FT_Byte)style_class->style; #ifdef FT_DEBUG_LEVEL_TRACE