From 45a775332be18c9d49802648d4b5879e02c12c63 Mon Sep 17 00:00:00 2001 From: Colin Rofls Date: Tue, 26 Sep 2023 16:17:08 -0400 Subject: [PATCH] [read-fonts] Fix possible crash in PackedPointNumbersIter This would only be encountered if the user manually tried to iterate packed points with a single 0x0 byte (signifying that there are points for all deltas) and did not also know how many points there were; but there's no reason not to be more careful here and at least stop iterating after u16::MAX items. --- read-fonts/src/tables/variations.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/read-fonts/src/tables/variations.rs b/read-fonts/src/tables/variations.rs index 7f692c9b8..41c37c7eb 100644 --- a/read-fonts/src/tables/variations.rs +++ b/read-fonts/src/tables/variations.rs @@ -362,7 +362,7 @@ impl Iterator for PackedPointNumbersIter<'_> { // if our count is zero, we keep incrementing forever if self.count == 0 { let result = self.last_val; - self.last_val += 1; + self.last_val = self.last_val.checked_add(1)?; return Some(result); } @@ -827,4 +827,13 @@ mod tests { assert_eq!(points.total_len(), 4); assert_eq!(data.len(), INPUT.len() - 4); } + + #[test] + fn packed_points_dont_panic() { + // a single '0' byte means that there are deltas for all points + static ALL_POINTS: FontData = FontData::new(&[0]); + let (all_points, _) = PackedPointNumbers::split_off_front(ALL_POINTS); + // in which case the iterator just keeps incrementing until u16::MAX + assert_eq!(all_points.iter().count(), u16::MAX as _); + } }