From d8a66e634c969925b9022a23eefb42ff3314247d Mon Sep 17 00:00:00 2001
From: Nikolay Sivov <nsivov@codeweavers.com>
Date: Sun, 12 Oct 2014 18:18:10 +0400
Subject: [PATCH] dwrite: Refuse to create IDWriteFontFace with invalid
 collection index.

---
 dlls/dwrite/dwrite_private.h |  2 +-
 dlls/dwrite/font.c           |  5 ++++-
 dlls/dwrite/opentype.c       | 43 +++++++++++++++----------------------------
 dlls/dwrite/tests/font.c     | 10 +++++++---
 4 files changed, 27 insertions(+), 33 deletions(-)

diff --git a/dlls/dwrite/dwrite_private.h b/dlls/dwrite/dwrite_private.h
index af3ae79a4ea..b3bd1dfae9d 100644
--- a/dlls/dwrite/dwrite_private.h
+++ b/dlls/dwrite/dwrite_private.h
@@ -107,7 +107,7 @@ extern HRESULT font_create_fontface(IDWriteFactory *iface, DWRITE_FONT_FACE_TYPE
 
 /* Opentype font table functions */
 extern HRESULT opentype_analyze_font(IDWriteFontFileStream*,UINT32*,DWRITE_FONT_FILE_TYPE*,DWRITE_FONT_FACE_TYPE*,BOOL*) DECLSPEC_HIDDEN;
-extern HRESULT find_font_table(IDWriteFontFileStream *stream, UINT32 font_index, UINT32 tag, const void** table_data, void** table_context, UINT32 *table_size, BOOL* found) DECLSPEC_HIDDEN;
+extern HRESULT opentype_get_font_table(IDWriteFontFileStream*,DWRITE_FONT_FACE_TYPE,UINT32,UINT32,const void**,void**,UINT32*,BOOL*) DECLSPEC_HIDDEN;
 extern VOID OpenType_CMAP_GetGlyphIndex(LPVOID data, DWORD utf32c, LPWORD pgi, DWORD flags) DECLSPEC_HIDDEN;
 extern VOID get_font_properties(LPCVOID os2, LPCVOID head, LPCVOID post, DWRITE_FONT_METRICS *metrics, DWRITE_FONT_STRETCH *stretch, DWRITE_FONT_WEIGHT *weight, DWRITE_FONT_STYLE *style) DECLSPEC_HIDDEN;
 
diff --git a/dlls/dwrite/font.c b/dlls/dwrite/font.c
index 329105487ee..a220501db9f 100644
--- a/dlls/dwrite/font.c
+++ b/dlls/dwrite/font.c
@@ -429,7 +429,7 @@ static HRESULT WINAPI dwritefontface_TryGetFontTable(IDWriteFontFace2 *iface, UI
                 continue;
             tablecontext->file_index = i;
 
-            hr = find_font_table(stream, This->data->index, table_tag, table_data, &tablecontext->context, table_size, exists);
+            hr = opentype_get_font_table(stream, This->data->type, This->data->index, table_tag, table_data, &tablecontext->context, table_size, exists);
 
             IDWriteFontFileStream_Release(stream);
         }
@@ -1619,6 +1619,9 @@ HRESULT font_create_fontface(IDWriteFactory *iface, DWRITE_FONT_FACE_TYPE facety
 
     *font_face = NULL;
 
+    if (facetype != DWRITE_FONT_FACE_TYPE_TRUETYPE_COLLECTION && index)
+        return E_INVALIDARG;
+
     This = heap_alloc(sizeof(struct dwrite_fontface));
     if (!This) return E_OUTOFMEMORY;
     This->data = heap_alloc(sizeof(struct dwrite_fontface_data));
diff --git a/dlls/dwrite/opentype.c b/dlls/dwrite/opentype.c
index 26ad3334a9a..9af04fdc8be 100644
--- a/dlls/dwrite/opentype.c
+++ b/dlls/dwrite/opentype.c
@@ -225,48 +225,35 @@ HRESULT opentype_analyze_font(IDWriteFontFileStream *stream, UINT32* font_count,
     return S_OK;
 }
 
-HRESULT find_font_table(IDWriteFontFileStream *stream, UINT32 font_index, UINT32 tag, const void** table_data, void** table_context, UINT32 *table_size, BOOL* found)
+HRESULT opentype_get_font_table(IDWriteFontFileStream *stream, DWRITE_FONT_FACE_TYPE type, UINT32 font_index, UINT32 tag,
+    const void **table_data, void **table_context, UINT32 *table_size, BOOL *found)
 {
-    const CHAR *first_data;
-    void *first_context;
     HRESULT hr;
     TTC_SFNT_V1 *font_header = NULL;
     void *sfnt_context;
     TT_TableRecord *table_record = NULL;
     void *table_record_context;
+    int table_count, table_offset = 0;
     int i;
-    int table_count;
-    int table_offset = 0;
 
     *found = FALSE;
 
-    hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&first_data, 0, 4, &first_context);
-    if (SUCCEEDED(hr))
-    {
-        if (DWRITE_MAKE_OPENTYPE_TAG(first_data[0], first_data[1], first_data[2], first_data[3]) == MS_TTCF_TAG)
-        {
-            const TTC_Header_V1 *ttc_header;
-            void * ttc_context;
-            hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&ttc_header, 0, sizeof(*ttc_header), &ttc_context);
-            if (SUCCEEDED(hr))
-            {
-                table_offset = GET_BE_DWORD(ttc_header->OffsetTable[0]);
-                if (font_index >= GET_BE_DWORD(ttc_header->numFonts))
-                    hr = E_INVALIDARG;
-                else
-                    hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&font_header, table_offset, sizeof(*font_header), &sfnt_context);
-                IDWriteFontFileStream_ReleaseFileFragment(stream, ttc_context);
-            }
-        }
-        else
-        {
-            if (font_index > 0)
+    if (type == DWRITE_FONT_FACE_TYPE_TRUETYPE_COLLECTION) {
+        const TTC_Header_V1 *ttc_header;
+        void * ttc_context;
+        hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&ttc_header, 0, sizeof(*ttc_header), &ttc_context);
+        if (SUCCEEDED(hr)) {
+            table_offset = GET_BE_DWORD(ttc_header->OffsetTable[0]);
+            if (font_index >= GET_BE_DWORD(ttc_header->numFonts))
                 hr = E_INVALIDARG;
             else
-                hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&font_header, 0, sizeof(*font_header), &sfnt_context);
+                hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&font_header, table_offset, sizeof(*font_header), &sfnt_context);
+            IDWriteFontFileStream_ReleaseFileFragment(stream, ttc_context);
         }
-        IDWriteFontFileStream_ReleaseFileFragment(stream, first_context);
     }
+    else
+        hr = IDWriteFontFileStream_ReadFileFragment(stream, (const void**)&font_header, 0, sizeof(*font_header), &sfnt_context);
+
     if (FAILED(hr))
         return hr;
 
diff --git a/dlls/dwrite/tests/font.c b/dlls/dwrite/tests/font.c
index 582cab0d587..65cd398ecb5 100644
--- a/dlls/dwrite/tests/font.c
+++ b/dlls/dwrite/tests/font.c
@@ -982,10 +982,14 @@ static void test_FontLoader(void)
         ok(face == DWRITE_FONT_FACE_TYPE_TRUETYPE, "got %i\n", face);
         ok(count == 1, "got %i\n", count);
 
-        hr = IDWriteFactory_CreateFontFace(factory, face, 1, &ffile, 0, 0, &fface);
-        ok(hr == S_OK, "got 0x%08x\n",hr);
+        /* invalid index */
+        hr = IDWriteFactory_CreateFontFace(factory, face, 1, &ffile, 1, DWRITE_FONT_SIMULATIONS_NONE, &fface);
+        ok(hr == E_INVALIDARG, "got 0x%08x\n", hr);
+
+        hr = IDWriteFactory_CreateFontFace(factory, face, 1, &ffile, 0, DWRITE_FONT_SIMULATIONS_NONE, &fface);
+        ok(hr == S_OK, "got 0x%08x\n", hr);
         hr = IDWriteFontFace_GetGlyphIndices(fface, codePoints, 1, indices);
-        ok(hr == S_OK, "got0x%08x\n",hr);
+        ok(hr == S_OK, "got 0x%08x\n", hr);
         ok(indices[0] == 6, "got index %i\n",indices[0]);
         IDWriteFontFace_Release(fface);
         IDWriteFontFile_Release(ffile);
-- 
2.11.4.GIT