diff options
| author | yusukes@google.com <yusukes@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-18 01:33:49 +0000 |
|---|---|---|
| committer | yusukes@google.com <yusukes@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-18 01:33:49 +0000 |
| commit | c27e411de097d9da503f6d122e9df1083938ee45 (patch) | |
| tree | b566ab36d113faeb2c7379e72e903ab705699049 /skia/ext/SkFontHost_fontconfig_direct.cpp | |
| parent | 21e743205216812e6ca165313b7999f94f0fdc3e (diff) | |
| download | chromium_src-c27e411de097d9da503f6d122e9df1083938ee45.zip chromium_src-c27e411de097d9da503f6d122e9df1083938ee45.tar.gz chromium_src-c27e411de097d9da503f6d122e9df1083938ee45.tar.bz2 | |
Returns an error immediately without sending IPC message when a font family name to resolve is too long.
This change is important when a site has @font-face rule like:
// http://paulirish.com/webkit-fontface-hang.html
@font-face{font-family:testfont;src:url('data:font/ttf;base64,AA.....<<looooooooooong base64 data>>.....aQ==')}
In such a case, WebCore first calls SkFontHost::CreateTypeface() with the (possibly very long) data-uri string itself, then calls SkFontHost::CreateTypefaceFromStream() with decoded byte stream. Since render_sandbox_host_linux.cc just ignores too long IPC message, the renderer process could block indefinitely waiting for a reply inside recvmsg() system call called from SkFontHost::CreateTypeface().
I'm not sure if the WebCore behavior (i.e. calling CreateTypeface with data-uris) is reasonable, but I believe the Skia part is better to be fixed anyway. Non data-uri font family names could be very long too:
@font-face{font-family:testfont;src:local('AA........AA');}
BUG=29861
TEST=First, set up your Linux SUID Sandbox binary: http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment. Then start Chromium and visit http://paulirish.com/webkit-fontface-hang.html or http://typekit.com/. Verify that the renderer does not freeze.
Review URL: http://codereview.chromium.org/507037
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34915 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'skia/ext/SkFontHost_fontconfig_direct.cpp')
| -rw-r--r-- | skia/ext/SkFontHost_fontconfig_direct.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/skia/ext/SkFontHost_fontconfig_direct.cpp b/skia/ext/SkFontHost_fontconfig_direct.cpp index 3f19fc7..9434f51 100644 --- a/skia/ext/SkFontHost_fontconfig_direct.cpp +++ b/skia/ext/SkFontHost_fontconfig_direct.cpp @@ -46,6 +46,9 @@ bool FontConfigDirect::Match(std::string* result_family, bool fileid_valid, unsigned fileid, const std::string& family, bool* is_bold, bool* is_italic) { + if (family.length() > kMaxFontFamilyLength) + return false; + SkAutoMutexAcquire ac(mutex_); FcPattern* pattern = FcPatternCreate(); |