Index: ChangeLog
===================================================================
RCS file: /cvs/gnome/pango/ChangeLog,v
retrieving revision 1.1162
diff -u -p -r1.1162 ChangeLog
--- ChangeLog	26 Jul 2005 13:24:49 -0000	1.1162
+++ ChangeLog	26 Jul 2005 14:39:54 -0000
@@ -1,5 +1,10 @@
 2005-07-26  Behdad Esfahbod  <pango@behdad.org>
 
+	* pango/opentype/ftxgsub.c, pango/opentype/ftxgpos.c: Skip lookups
+	with lookup index out of range. (#171170)
+
+2005-07-26  Behdad Esfahbod  <pango@behdad.org>
+
 	* examples/cairoview.c, examples/pangoft2topgm.c,
 	examples/renderdemo.c, examples/renderdemo.h: Fixed a couple of leaks
 	and freed memory after use.
Index: pango/opentype/ftxgpos.c
===================================================================
RCS file: /cvs/gnome/pango/pango/opentype/ftxgpos.c,v
retrieving revision 1.27
diff -u -p -r1.27 ftxgpos.c
--- pango/opentype/ftxgpos.c	22 Jul 2005 17:56:37 -0000	1.27
+++ pango/opentype/ftxgpos.c	26 Jul 2005 14:39:55 -0000
@@ -5872,7 +5872,7 @@
                                     FT_UShort         context_length,
                                     int               nesting_level )
   {
-    FT_Error         error = TT_Err_Ok;
+    FT_Error         error = TTO_Err_Not_Covered;
     FT_UShort        i, flags;
     TTO_GPOSHeader*  gpos = gpi->gpos;
     TTO_Lookup*      lo;
@@ -6049,8 +6049,9 @@
     TTO_Feature  feature;
     FT_UInt*     properties;
     FT_UShort*   index;
+    FT_UShort    lookup_count;
 
-    /* Each feature can only be added once once */
+    /* Each feature can only be added once */
     
     if ( !gpos ||
          feature_index >= gpos->FeatureList.FeatureCount ||
@@ -6063,9 +6064,14 @@
 
     feature = gpos->FeatureList.FeatureRecord[feature_index].Feature;
     index   = feature.LookupListIndex;
+    lookup_count = gpos->LookupList.LookupCount;
 
     for ( i = 0; i < feature.LookupListCount; i++ )
-      properties[index[i]] |= property;
+    {
+      FT_UShort lookup_index = index[i];
+      if (lookup_index < lookup_count)
+	properties[lookup_index] |= property;
+    }
 
     return TT_Err_Ok;
   }
@@ -6133,7 +6139,7 @@
   {
     FT_Error       error, retError = TTO_Err_Not_Covered;
     GPOS_Instance  gpi;
-    FT_UShort      i, j, feature_index;
+    FT_UShort      i, j, feature_index, lookup_count;
     TTO_Feature    feature;
 
     if ( !face || !gpos ||
@@ -6146,6 +6152,8 @@
     gpi.r2l        = r2l;
     gpi.dvi        = dvi;
     
+    lookup_count = gpos->LookupList.LookupCount;
+
     for ( i = 0; i < gpos->FeatureList.ApplyCount; i++ )
     { 
       /* index of i'th feature */
@@ -6154,7 +6162,13 @@
 
       for ( j = 0; j < feature.LookupListCount; j++ )
       {
-	error = Do_String_Lookup( &gpi, feature.LookupListIndex[j], buffer );
+	FT_UShort lookup_index = feature.LookupListIndex[j];
+
+	/* Skip nonexistant lookups */
+        if (lookup_index >= lookup_count)
+	 continue;
+
+	error = Do_String_Lookup( &gpi, lookup_index, buffer );
 	if ( error )
 	{
 	  if ( error != TTO_Err_Not_Covered )
Index: pango/opentype/ftxgsub.c
===================================================================
RCS file: /cvs/gnome/pango/pango/opentype/ftxgsub.c,v
retrieving revision 1.28
diff -u -p -r1.28 ftxgsub.c
--- pango/opentype/ftxgsub.c	22 Jul 2005 17:56:37 -0000	1.28
+++ pango/opentype/ftxgsub.c	26 Jul 2005 14:39:56 -0000
@@ -1130,8 +1130,7 @@
   {
     FT_Error  error;
     FT_UShort i, old_pos;
-
-
+    
     i = 0;
 
     while ( i < GlyphCount )
@@ -3939,8 +3938,8 @@
                                     FT_UShort         context_length,
                                     int               nesting_level )
   {
-    FT_Error     error = TT_Err_Ok;
-    FT_UShort    i, flags;
+    FT_Error     error = TTO_Err_Not_Covered;
+    FT_UShort    i, flags, lookup_count;
     TTO_Lookup*  lo;
 
 
@@ -3949,6 +3948,10 @@
     if ( nesting_level > TTO_MAX_NESTING_LEVEL )
       return TTO_Err_Too_Many_Nested_Contexts;
 
+    lookup_count = gsub->LookupList.LookupCount;
+    if (lookup_index >= lookup_count)
+      return error;
+
     lo    = &gsub->LookupList.Lookup[lookup_index];
     flags = lo->LookupFlag;
 
@@ -4056,8 +4059,9 @@
     TTO_Feature  feature;
     FT_UInt*     properties;
     FT_UShort*   index;
+    FT_UShort    lookup_count;
 
-    /* Each feature can only be added once once */
+    /* Each feature can only be added once */
     
     if ( !gsub ||
          feature_index >= gsub->FeatureList.FeatureCount ||
@@ -4070,9 +4074,14 @@
 
     feature = gsub->FeatureList.FeatureRecord[feature_index].Feature;
     index   = feature.LookupListIndex;
+    lookup_count = gsub->LookupList.LookupCount;
 
     for ( i = 0; i < feature.LookupListCount; i++ )
-      properties[index[i]] |= property;
+    {
+      FT_UShort lookup_index = index[i];
+      if (lookup_index < lookup_count)
+	properties[lookup_index] |= property;
+    }
 
     return TT_Err_Ok;
   }
@@ -4120,13 +4129,15 @@
 				  OTL_Buffer        buffer )
   {
     FT_Error          error, retError = TTO_Err_Not_Covered;
-    FT_UShort         i, j, feature_index;
+    FT_UShort         i, j, feature_index, lookup_count;
     TTO_Feature       feature;
 
     if ( !gsub ||
          !buffer || buffer->in_length == 0 || buffer->in_pos >= buffer->in_length )
       return TT_Err_Invalid_Argument;
 
+    lookup_count = gsub->LookupList.LookupCount;
+
     for ( i = 0; i < gsub->FeatureList.ApplyCount; i++)
     {
       feature_index = gsub->FeatureList.ApplyOrder[i];
@@ -4134,7 +4145,13 @@
 
       for ( j = 0; j < feature.LookupListCount; j++ )
       {
-        error = Do_String_Lookup( gsub, feature.LookupListIndex[j], buffer );
+	FT_UShort lookup_index = feature.LookupListIndex[j];
+
+	/* Skip nonexistant lookups */
+        if (lookup_index >= lookup_count)
+	 continue;
+
+        error = Do_String_Lookup( gsub, lookup_index, buffer );
 	if ( error )
 	{
 	  if ( error != TTO_Err_Not_Covered )