1 files changed, 33 insertions, 4 deletions

diff --git a/freetype/src/gxvalid/gxvmort2.c b/freetype/src/gxvalid/gxvmort2.c
index 6f77cf39c..9e08fb792 100644
--- a/freetype/src/gxvalid/gxvmort2.c
+++ b/freetype/src/gxvalid/gxvmort2.c
@@ -155,8 +155,7 @@
                   ligActionOffset, lat_base - p ));
 
       /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */
-      if ( valid->root->level >= FT_VALIDATE_PARANOID )
-        FT_INVALID_OFFSET;
+      GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET );
     }
     else if ( lat_limit < p )
     {
@@ -164,23 +163,46 @@
                   ligActionOffset, p - lat_limit ));
 
       /* FontValidator, ftxvalidator, ftxdumperfuser warn but continue */
-      if ( valid->root->level >= FT_VALIDATE_PARANOID )
-        FT_INVALID_OFFSET;
+      GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET );
     }
     else
     {
       /* validate entry in ligActionTable */
       FT_ULong   lig_action;
+#ifdef GXV_LOAD_UNUSED_VARS
       FT_UShort  last;
       FT_UShort  store;
+#endif
       FT_ULong   offset;
 
 
       lig_action = FT_NEXT_ULONG( p );
+#ifdef GXV_LOAD_UNUSED_VARS
       last   = (FT_UShort)( ( lig_action >> 31 ) & 1 );
       store  = (FT_UShort)( ( lig_action >> 30 ) & 1 );
+#endif
 
+      /* Apple spec defines this offset as a word offset */
       offset = lig_action & 0x3FFFFFFFUL;
+      if ( offset * 2 < optdata->ligatureTable )
+      {
+        GXV_TRACE(( "too short offset 0x%08x:"
+                    " 2 x offset < ligatureTable (%d byte rewind)\n",
+                     offset, optdata->ligatureTable - offset * 2 ));
+
+        GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET );
+      } else if ( offset * 2 >
+                  optdata->ligatureTable + optdata->ligatureTable_length )
+      {
+        GXV_TRACE(( "too long offset 0x%08x:"
+                    " 2 x offset > ligatureTable + ligatureTable_length"
+                    " (%d byte overrun)\n",
+                     offset,
+                     optdata->ligatureTable + optdata->ligatureTable_length
+                     - offset * 2 ));
+
+        GXV_SET_ERR_IF_PARANOID( FT_INVALID_OFFSET );
+      }
     }
   }
 
@@ -194,8 +216,10 @@
     FT_Bytes                        limit,
     GXV_Validator                   valid )
   {
+#ifdef GXV_LOAD_UNUSED_VARS
     FT_UShort setComponent;
     FT_UShort dontAdvance;
+#endif
     FT_UShort offset;
 
     FT_UNUSED( state );
@@ -203,8 +227,10 @@
     FT_UNUSED( limit );
 
 
+#ifdef GXV_LOAD_UNUSED_VARS
     setComponent = (FT_UShort)( ( flags >> 15 ) & 1 );
     dontAdvance  = (FT_UShort)( ( flags >> 14 ) & 1 );
+#endif
 
     offset = (FT_UShort)( flags & 0x3FFFU );
 
@@ -237,6 +263,9 @@
 
         GXV_LIMIT_CHECK( 2 );
         lig_gid = FT_NEXT_USHORT( p );
+
+        if ( valid->face->num_glyphs < lig_gid )
+          GXV_SET_ERR_IF_PARANOID( FT_INVALID_GLYPH_ID );
       }
     }
     GXV_EXIT;