From f188306f4fef8034bdfa21a3ba56580b5e218251 Mon Sep 17 00:00:00 2001
From: David Wendt <dcrkid@yahoo.com>
Date: Wed, 3 Mar 2021 21:11:42 -0500
Subject: [PATCH] avm2: `setTextFormat` is range-checked

---
 core/src/avm2/globals/flash/text/textfield.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/core/src/avm2/globals/flash/text/textfield.rs b/core/src/avm2/globals/flash/text/textfield.rs
index d1f9b7408..2d1513006 100644
--- a/core/src/avm2/globals/flash/text/textfield.rs
+++ b/core/src/avm2/globals/flash/text/textfield.rs
@@ -827,10 +827,18 @@ pub fn set_text_format<'gc>(
             begin_index = 0;
         }
 
+        if begin_index as usize > this.text_length() {
+            return Err("RangeError: The supplied index is out of bounds.".into());
+        }
+
         if end_index < 0 {
             end_index = this.text_length() as i32;
         }
 
+        if end_index as usize > this.text_length() {
+            return Err("RangeError: The supplied index is out of bounds.".into());
+        }
+
         this.set_text_format(
             begin_index as usize,
             end_index as usize,