Add assertions to avoid overflow t happen when subtracting from an unsigned index

alerque · alerque · commit d5b704b531e6 · 2024-11-11T10:58:16.000+03:00
diff --git a/src/hb/ot_layout_gsubgpos.rs b/src/hb/ot_layout_gsubgpos.rs
@@ -170,6 +170,9 @@ pub fn match_lookahead(
     start_index: usize,
     end_index: &mut usize,
 ) -> bool {
+    // Function should always be called with a non-zero starting index
+    // c.f. https://github.com/harfbuzz/rustybuzz/issues/142
+    assert!(start_index >= 1);
     let mut iter = skipping_iterator_t::new(ctx, start_index - 1, true);
     iter.set_glyph_data(0);
     iter.enable_matching(match_func);
@@ -977,7 +980,7 @@ fn apply_lookup(
         }
     }
 
-    ctx.buffer.move_to(end as usize);
+    ctx.buffer.move_to(end.try_into().unwrap());
 }
 
 /// Value represents glyph class.
@@ -1316,6 +1319,9 @@ pub fn ligate_input(
                 if this_comp == 0 {
                     this_comp = last_num_comps;
                 }
+                // Avoid the potential for a wrap-around bug when subtracting from an unsigned integer
+                // c.f. https://github.com/harfbuzz/rustybuzz/issues/142
+                assert!(comps_so_far >= last_num_comps);
                 let new_lig_comp = comps_so_far - last_num_comps + this_comp.min(last_num_comps);
                 _hb_glyph_info_set_lig_props_for_mark(cur, lig_id, new_lig_comp);
             }
@@ -1344,6 +1350,9 @@ pub fn ligate_input(
                 break;
             }
 
+            // Avoid the potential for a wrap-around bug when subtracting from an unsigned integer
+            // c.f. https://github.com/harfbuzz/rustybuzz/issues/142
+            assert!(comps_so_far >= last_num_comps);
             let new_lig_comp = comps_so_far - last_num_comps + this_comp.min(last_num_comps);
             _hb_glyph_info_set_lig_props_for_mark(info, lig_id, new_lig_comp)
         }

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,9 @@ pub fn match_lookahead(`
`170`	`170`	`start_index: usize,`
`171`	`171`	`end_index: &mut usize,`
`172`	`172`	`) -> bool {`
	`173`	`+ // Function should always be called with a non-zero starting index`
	`174`	`+ // c.f. https://github.com/harfbuzz/rustybuzz/issues/142`
	`175`	`+ assert!(start_index >= 1);`
`173`	`176`	`let mut iter = skipping_iterator_t::new(ctx, start_index - 1, true);`
`174`	`177`	`iter.set_glyph_data(0);`
`175`	`178`	`iter.enable_matching(match_func);`
`@@ -977,7 +980,7 @@ fn apply_lookup(`
`977`	`980`	`}`
`978`	`981`	`}`
`979`	`982`
`980`		`- ctx.buffer.move_to(end as usize);`
	`983`	`+ ctx.buffer.move_to(end.try_into().unwrap());`
`981`	`984`	`}`
`982`	`985`
`983`	`986`	`/// Value represents glyph class.`
`@@ -1316,6 +1319,9 @@ pub fn ligate_input(`
`1316`	`1319`	`if this_comp == 0 {`
`1317`	`1320`	`this_comp = last_num_comps;`
`1318`	`1321`	`}`
	`1322`	`+ // Avoid the potential for a wrap-around bug when subtracting from an unsigned integer`
	`1323`	`+ // c.f. https://github.com/harfbuzz/rustybuzz/issues/142`
	`1324`	`+ assert!(comps_so_far >= last_num_comps);`
`1319`	`1325`	`let new_lig_comp = comps_so_far - last_num_comps + this_comp.min(last_num_comps);`
`1320`	`1326`	`_hb_glyph_info_set_lig_props_for_mark(cur, lig_id, new_lig_comp);`
`1321`	`1327`	`}`
`@@ -1344,6 +1350,9 @@ pub fn ligate_input(`
`1344`	`1350`	`break;`
`1345`	`1351`	`}`
`1346`	`1352`
	`1353`	`+ // Avoid the potential for a wrap-around bug when subtracting from an unsigned integer`
	`1354`	`+ // c.f. https://github.com/harfbuzz/rustybuzz/issues/142`
	`1355`	`+ assert!(comps_so_far >= last_num_comps);`
`1347`	`1356`	`let new_lig_comp = comps_so_far - last_num_comps + this_comp.min(last_num_comps);`
`1348`	`1357`	`_hb_glyph_info_set_lig_props_for_mark(info, lig_id, new_lig_comp)`
`1349`	`1358`	`}`