Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

OpenType GSUB 'Extension Substitution' lookup results in wrong offsets

Description

My application, which runs fine with ICU 4.8, started crashing with a memory access violation after I attempted an upgrade to ICU 52. The crash occurs with certain fonts, such as the version of Calibri Regular that comes preinstalled with Windows 8.

I think the problem is caused by ICU's faulty treatment of the Extension Substitution subtables that Calibri's GSUB table contains. The OpenType specification says that the offset in the subtable is "''relative to the start of the ExtensionSubstFormat1 subtable''." But in ICU ''ExtensionSubtable:rocess'', or somewhere thereabouts, that offset is erroneously applied relative to the start of the GSUB table instead.

I have tried implementing ''LEFontInstance::getFontTable(LETag, size_t&)'', which gets rid of the crash, and instead fails layout with ''LE_INDEX_OUT_OF_BOUNDS_ERROR''.

I have tested the problem with 53M1, with the same result as in 52.

Attachments

1

Activity

Show:

UnicodeBot July 1, 2018 at 12:04 AM

Trac Comment 9 by —2016-09-12T16:10:04.286Z

Layout engine has been removed from ICU 58.

UnicodeBot July 1, 2018 at 12:04 AM

Trac Comment 8 by elmar.braun@0b270a49e67dba48—2015-08-27T16:06:27.106Z

Please note that ticket #10953 is a duplicate of this.

UnicodeBot July 1, 2018 at 12:04 AM

Trac Comment 5 by —2015-05-08T17:41:33.038Z

The ICU layout engine (but not ParagraphLayout) has been deprecated in ICU 54. See http://site.icu-project.org/download/54

UnicodeBot July 1, 2018 at 12:04 AM

Trac Comment 2 by ned@ecd29b8aa7120a3f—2014-06-09T19:25:45.275Z

I can confirm the problem. After an upgrade to ICU 52, fonts from the Calibri font family no longer work (i.e. layout fails with LE_INDEX_OUT_OF_BOUNDS_ERROR and no glyph output is generated). This issue was introduced in ICU 51.2 (2013-Apr-18) which attempts to fix multiple security vulnerabilities in the Layout Engine (see ICU ticket #10107). More specifically the following lines of code from ExtensionSubtables.cpp cause this problem:

If these lines are replaced with code from ICU 51 (shown below), the Calibri font works again:

Won't Fix

Details

Assignee

Reporter

Components

Labels

Priority

Fix versions

Created June 28, 2018 at 5:21 PM
Updated July 2, 2018 at 2:31 AM
Resolved July 2, 2018 at 2:31 AM