diff options
| author | bashi@chromium.org <bashi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-11 02:19:10 +0000 |
|---|---|---|
| committer | bashi@chromium.org <bashi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-11 02:19:10 +0000 |
| commit | 94e715503fa84149250d01f31cbc64a683b9cd55 (patch) | |
| tree | 60b33703f06a4aa569e0d2ed67ab48ba124dbbb9 /third_party/harfbuzz/chromium.patch | |
| parent | 0e3f30727adf5ca0a76ddae8c7bc53eaecdb2380 (diff) | |
| download | chromium_src-94e715503fa84149250d01f31cbc64a683b9cd55.zip chromium_src-94e715503fa84149250d01f31cbc64a683b9cd55.tar.gz chromium_src-94e715503fa84149250d01f31cbc64a683b9cd55.tar.bz2 | |
[Harfbuzz] Fix OOB read in tibetan_form()
|c| should be smaller than 0x0fc0.
BUG=chromium:122586
TEST=manual
Review URL: http://codereview.chromium.org/10024052
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131694 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/harfbuzz/chromium.patch')
| -rw-r--r-- | third_party/harfbuzz/chromium.patch | 31 |
1 files changed, 15 insertions, 16 deletions
diff --git a/third_party/harfbuzz/chromium.patch b/third_party/harfbuzz/chromium.patch index 57f392e..a2f44c8 100644 --- a/third_party/harfbuzz/chromium.patch +++ b/third_party/harfbuzz/chromium.patch @@ -1,5 +1,5 @@ diff --git a/contrib/harfbuzz-unicode.c b/contrib/harfbuzz-unicode.c -index ce4f8e2..eeff2b9 100644 +index 72c5cf2..49e47b0 100644 --- a/contrib/harfbuzz-unicode.c +++ b/contrib/harfbuzz-unicode.c @@ -120,7 +120,6 @@ hb_utf16_script_run_next(unsigned *num_code_points, HB_ScriptItem *output, @@ -34,22 +34,8 @@ index 3837087..ce2ca6c 100644 #ifndef NO_OPENTYPE if (HB_SelectScript(item, item->item.script == HB_Script_Arabic ? arabic_features : syriac_features)) { -diff --git a/src/harfbuzz-myanmar.c b/src/harfbuzz-myanmar.c -index 4b68e64..f4d6d78 100644 ---- a/src/harfbuzz-myanmar.c -+++ b/src/harfbuzz-myanmar.c -@@ -359,7 +359,8 @@ static HB_Bool myanmar_shape_syllable(HB_Bool openType, HB_ShaperItem *item, HB_ - if (kinzi >= 0 && i > base && (cc & Mymr_CF_AFTER_KINZI)) { - reordered[len] = Mymr_C_NGA; - reordered[len+1] = Mymr_C_VIRAMA; -- properties[len-1] = AboveForm; -+ if (len > 0) -+ properties[len-1] = AboveForm; - properties[len] = AboveForm; - len += 2; - kinzi = -1; diff --git a/src/harfbuzz-shaper.cpp b/src/harfbuzz-shaper.cpp -index ce4d4ac..5999e08 100644 +index 7d433ea..dd86a40 100644 --- a/src/harfbuzz-shaper.cpp +++ b/src/harfbuzz-shaper.cpp @@ -430,8 +430,6 @@ void HB_HeuristicSetGlyphAttributes(HB_ShaperItem *item) @@ -134,3 +120,16 @@ index ab5c07a..72c9aa3 100644 } HB_ShaperFlag; /* +diff --git a/src/harfbuzz-tibetan.c b/src/harfbuzz-tibetan.c +index 847ac52..6f9a55b 100644 +--- a/src/harfbuzz-tibetan.c ++++ b/src/harfbuzz-tibetan.c +@@ -90,7 +90,7 @@ static const unsigned char tibetanForm[0x80] = { + + + #define tibetan_form(c) \ +- ((c) >= 0x0f40 && (c) <= 0x0fc0 ? (TibetanForm)tibetanForm[(c) - 0x0f40] : TibetanOther) ++ ((c) >= 0x0f40 && (c) < 0x0fc0 ? (TibetanForm)tibetanForm[(c) - 0x0f40] : TibetanOther) + + static const HB_OpenTypeFeature tibetan_features[] = { + { HB_MAKE_TAG('c', 'c', 'm', 'p'), CcmpProperty }, |