diff options
author | xdai <xdai@chromium.org> | 2015-08-12 15:35:38 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-08-12 22:36:16 +0000 |
commit | 4398f2f098ae87f339405b536277dffb35c5a9d6 (patch) | |
tree | 3655a31834a964459067b3cd4b9e4184e9db711b | |
parent | 8ca7453a60892f3f27a89ca405822d936b341f3b (diff) | |
download | chromium_src-4398f2f098ae87f339405b536277dffb35c5a9d6.zip chromium_src-4398f2f098ae87f339405b536277dffb35c5a9d6.tar.gz chromium_src-4398f2f098ae87f339405b536277dffb35c5a9d6.tar.bz2 |
Fix the heap-buffer-overflow in linux_asan_chrome_mp build.
It seems in AddressSanitizer(Asan), there is a possibility that a word can be comprised of partial
combining characters or partial surrogate pair. In this case FindValidBoundaryBefore() / FindValidBoundaryAfter()
might return an index that doesn't lie within the segment range, which causes the heap-buffer-overflow error.
BUG=516361
TEST=No crash when trying to open fuzz-142.pdf on Asan chrome build
Review URL: https://codereview.chromium.org/1262273003
Cr-Commit-Position: refs/heads/master@{#343115}
-rw-r--r-- | ui/gfx/render_text_harfbuzz.cc | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/ui/gfx/render_text_harfbuzz.cc b/ui/gfx/render_text_harfbuzz.cc index 775fb1c..b2652b8 100644 --- a/ui/gfx/render_text_harfbuzz.cc +++ b/ui/gfx/render_text_harfbuzz.cc @@ -438,7 +438,8 @@ class HarfBuzzLineBreaker { end_pos++; } - const size_t valid_end_pos = FindValidBoundaryBefore(text_, end_pos); + const size_t valid_end_pos = std::max( + segment.char_range.start(), FindValidBoundaryBefore(text_, end_pos)); if (end_pos != valid_end_pos) { end_pos = valid_end_pos; width = run.GetGlyphWidthForCharRange( @@ -449,8 +450,10 @@ class HarfBuzzLineBreaker { // need to put at least one character in the line. Note that, we should // not separate surrogate pair or combining characters. // See RenderTextTest.Multiline_MinWidth for an example. - if (width == 0 && available_width_ == max_width_) - end_pos = FindValidBoundaryAfter(text_, end_pos + 1); + if (width == 0 && available_width_ == max_width_) { + end_pos = std::min(segment.char_range.end(), + FindValidBoundaryAfter(text_, end_pos + 1)); + } return end_pos; } |