Fix overflow on short loca with offset values > 65536.

garretrieger · garretrieger · commit 9e61d634651a · 2025-02-27T16:29:02.000-07:00
diff --git a/common/font_helper_test.cc b/common/font_helper_test.cc
@@ -478,6 +478,61 @@ TEST_F(FontHelperTest, BuildFont) {
   ASSERT_EQ(table_2.str(), "table_2");
 }
 
+TEST_F(FontHelperTest, GlyfData_ShortOverflow) {
+  // This glyph has a start < 65536 and end > 65536 and so will create an
+  // overflow in offset calculation if the wrong data types are used.
+  auto data = FontHelper::GlyfData(roboto_vf.get(), 558);
+  ASSERT_TRUE(data.ok()) << data.status();
+  ASSERT_GT(data->size(), 0);
+}
+
+TEST_F(FontHelperTest, GlyfData_ShortOverflowSynthetic) {
+  hb_face_unique_ptr face = make_hb_face(hb_face_builder_create());
+
+  std::vector<uint8_t> loca = {
+      0xC3, 0x50,  // 50,000 (100,000 actual)
+      0xC3, 0x52,  // 50,002 (100,005 actual)
+  };
+  {
+    auto blob =
+        make_hb_blob(hb_blob_create((const char*)loca.data(), loca.size(),
+                                    HB_MEMORY_MODE_READONLY, nullptr, nullptr));
+    hb_face_builder_add_table(face.get(), HB_TAG('l', 'o', 'c', 'a'),
+                              blob.get());
+  }
+
+  std::vector<uint8_t> head(53, 0);
+  head[51] = 0;
+  {
+    auto blob =
+        make_hb_blob(hb_blob_create((const char*)head.data(), head.size(),
+                                    HB_MEMORY_MODE_READONLY, nullptr, nullptr));
+    hb_face_builder_add_table(face.get(), HB_TAG('h', 'e', 'a', 'd'),
+                              blob.get());
+  }
+
+  std::vector<uint8_t> glyf(100004, 0);
+  glyf[100000] = 1;
+  glyf[100001] = 2;
+  glyf[100002] = 3;
+  glyf[100003] = 4;
+  {
+    auto blob =
+        make_hb_blob(hb_blob_create((const char*)glyf.data(), glyf.size(),
+                                    HB_MEMORY_MODE_READONLY, nullptr, nullptr));
+    hb_face_builder_add_table(face.get(), HB_TAG('g', 'l', 'y', 'f'),
+                              blob.get());
+  }
+
+  auto blob = make_hb_blob(hb_face_reference_blob(face.get()));
+  auto concrete_face = make_hb_face(hb_face_create(blob.get(), 0));
+
+  auto data = FontHelper::GlyfData(concrete_face.get(), 0);
+  ASSERT_TRUE(data.ok()) << data.status();
+  std::string expected = {1, 2, 3, 4};
+  ASSERT_EQ(*data, expected);
+}
+
 // TODO test BuildFont...
 
 }  // namespace common
diff --git a/common/indexed_data_reader.h b/common/indexed_data_reader.h
@@ -1,6 +1,8 @@
 #ifndef COMMON_INDEXED_DATA_READER_H_
 #define COMMON_INDEXED_DATA_READER_H_
 
+#include <cstdint>
+
 #include "absl/status/statusor.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
@@ -28,11 +30,14 @@ class IndexedDataReader {
           absl::StrCat("Entry ", id, " not found in offset table."));
     }
 
-    offset_type start_offset =
-        ReadValue(start_index, offsets_) * offset_multiplier;
-    offset_type end_offset = ReadValue(end_index, offsets_) * offset_multiplier;
+    uint32_t start_offset =
+        ((uint32_t)ReadValue(start_index, offsets_)) * offset_multiplier;
+    uint32_t end_offset =
+        ((uint32_t)ReadValue(end_index, offsets_)) * offset_multiplier;
     if (end_offset < start_offset) {
-      return absl::InvalidArgumentError("Invalid index. end < start.");
+      return absl::InvalidArgumentError(
+          absl::StrCat("Invalid index. end (", end_offset, ") < start (",
+                       start_offset, "), width = ", width, "."));
     }
 
     if (end_offset > data_.size()) {
