-
Bug
-
Resolution: Fixed
-
P4
-
9
-
None
-
b151
This change fixes a row of smaller problems where code is noted down a bit questionable or it's wrong in unlikely cases.
hg-ot-font.cc
Looks like assignment instead of compare. Use extra if().
hg-ot_layout-gpos-table.hh
valueFormat is passed to apply(), where it is used as an array with two elements:
line 621: valueFormats[1].get_len();
It was correct as there are actually two fields in the struct that have the
same layout as an array.
ScriptAndLanguageTags.cpp, ThaiShaping.cpp/.h
In ThaiShaping.cpp:307 conState is passed to getNextState() where it is in the end used to index to thaiStateTable.
thaiStateTable has 52 elements. But conState is initialized to 0xFF == 255 in ThaiShaping.cpp:296. This can result in an out-of-bounds access.
OpenTypeLayoutEngine::scriptTags[scriptCodeCount] is accessed with index < scriptCodeCount, but only contains scriptCodeCount-1 elements.
I added a size entry to the enums, and use that for sizing the array and checking the size.
jctrans.c
if cinfo->entropy->encode_mcu resolves to encode_mcu_AC_first() it will access MCU_buffer[0]. (jcphuff.c:487)
cmserr.c
Must check return value of ftell.
cmsgamma.c
Out/out/in are used as arrays in called function.
cmslut.c
Out[] may be used uninitialized.
cmstypes.c
Must check return value of Tell. The negative outcome should not be passed to Seek.
cmsxform.c
Using uninitialized element of array wIn when calling *p->FromInput. (The function pointer resolves to Pack1Byte.)
Using uninitialized element of array fIn when calling *p->FromInputFloat. (The function pointer resolves to PackDoublesFromFloat.)
Using uninitialized element of array fIn when calling *p->FromInputFloat. (The function pointer resolves to PackDoublesFromFloat.)
PLATFORM_API_LinuxOS_ALSA_Ports.c
Using uninitialized element of array controls when calling *creator->newCompoundControl. (The function pointer resolves to PORT_NewCompoundControl.)
hg-ot-font.cc
Looks like assignment instead of compare. Use extra if().
hg-ot_layout-gpos-table.hh
valueFormat is passed to apply(), where it is used as an array with two elements:
line 621: valueFormats[1].get_len();
It was correct as there are actually two fields in the struct that have the
same layout as an array.
ScriptAndLanguageTags.cpp, ThaiShaping.cpp/.h
In ThaiShaping.cpp:307 conState is passed to getNextState() where it is in the end used to index to thaiStateTable.
thaiStateTable has 52 elements. But conState is initialized to 0xFF == 255 in ThaiShaping.cpp:296. This can result in an out-of-bounds access.
OpenTypeLayoutEngine::scriptTags[scriptCodeCount] is accessed with index < scriptCodeCount, but only contains scriptCodeCount-1 elements.
I added a size entry to the enums, and use that for sizing the array and checking the size.
jctrans.c
if cinfo->entropy->encode_mcu resolves to encode_mcu_AC_first() it will access MCU_buffer[0]. (jcphuff.c:487)
cmserr.c
Must check return value of ftell.
cmsgamma.c
Out/out/in are used as arrays in called function.
cmslut.c
Out[] may be used uninitialized.
cmstypes.c
Must check return value of Tell. The negative outcome should not be passed to Seek.
cmsxform.c
Using uninitialized element of array wIn when calling *p->FromInput. (The function pointer resolves to Pack1Byte.)
Using uninitialized element of array fIn when calling *p->FromInputFloat. (The function pointer resolves to PackDoublesFromFloat.)
Using uninitialized element of array fIn when calling *p->FromInputFloat. (The function pointer resolves to PackDoublesFromFloat.)
PLATFORM_API_LinuxOS_ALSA_Ports.c
Using uninitialized element of array controls when calling *creator->newCompoundControl. (The function pointer resolves to PORT_NewCompoundControl.)