OOB read in harfbuzz with khmer character.

Sets face->tmpLogClusters[i] to the last valid value of |item->log_clusters|
when |i| exceeds the size of the |item->log_clusters|.

BUG=90134
TEST=checked with ASAN and ran webkit/tools/layout_tests/run_webkit_tests.sh


Review URL: http://codereview.chromium.org/7465036

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@94616 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 30 insertions, 15 deletions

diff --git a/third_party/harfbuzz/chromium.patch b/third_party/harfbuzz/chromium.patch
index 0705356..2923e6e 100644
--- a/third_party/harfbuzz/chromium.patch
+++ b/third_party/harfbuzz/chromium.patch
@@ -14,8 +14,22 @@ index 51dd4ea..cb7a85b 100644
          continue;
        } else {
          *iter = prev_iter;
+diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c
+index 356dc01..db5ea0a 100644
+--- a/src/harfbuzz-gpos.c
++++ b/src/harfbuzz-gpos.c
+@@ -2976,6 +2976,9 @@ static HB_Error  Lookup_MarkMarkPos( GPOS_Instance*    gpi,
+     j--;
+   }
+ 
++  if ( i > buffer->in_pos )
++    return HB_Err_Not_Covered;
++
+   error = _HB_OPEN_Coverage_Index( &mmp->Mark2Coverage, IN_GLYPH( j ),
+ 			  &mark2_index );
+   if ( error )
 diff --git a/src/harfbuzz-shaper.cpp b/src/harfbuzz-shaper.cpp
-index f3ec8e1..2b0dfde 100644
+index f3ec8e1..2b52221 100644
 --- a/src/harfbuzz-shaper.cpp
 +++ b/src/harfbuzz-shaper.cpp
 @@ -433,7 +433,7 @@ void HB_HeuristicSetGlyphAttributes(HB_ShaperItem *item)
@@ -35,17 +49,16 @@ index f3ec8e1..2b0dfde 100644
  
      // first char in a run is never (treated as) a mark
      int cStart = 0;
-diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c
-index 356dc01..db5ea0a 100644
---- a/src/harfbuzz-gpos.c
-+++ b/src/harfbuzz-gpos.c
-@@ -2976,6 +2976,9 @@ static HB_Error  Lookup_MarkMarkPos( GPOS_Instance*    gpi,
-     j--;
-   }
+@@ -1151,10 +1150,11 @@ HB_Bool HB_OpenTypeShape(HB_ShaperItem *item, const hb_uint32 *properties)
+         return false;
+     face->tmpLogClusters = tmpLogClusters;
  
-+  if ( i > buffer->in_pos )
-+    return HB_Err_Not_Covered;
-+
-   error = _HB_OPEN_Coverage_Index( &mmp->Mark2Coverage, IN_GLYPH( j ),
-                          &mark2_index );
-   if ( error )
++    const int itemLength = item->item.length;
+     for (int i = 0; i < face->length; ++i) {
+         hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properties[i] : 0, i);
+         face->tmpAttributes[i] = item->attributes[i];
+-        face->tmpLogClusters[i] = item->log_clusters[i];
++        face->tmpLogClusters[i] = i < itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1];
+     }
+ 
+ #ifdef OT_DEBUG
diff --git a/third_party/harfbuzz/src/harfbuzz-shaper.cpp b/third_party/harfbuzz/src/harfbuzz-shaper.cpp
index f1606e6..db9954f 100644
--- a/third_party/harfbuzz/src/harfbuzz-shaper.cpp
+++ b/third_party/harfbuzz/src/harfbuzz-shaper.cpp
@@ -1150,10 +1150,12 @@ HB_Bool HB_OpenTypeShape(HB_ShaperItem *item, const hb_uint32 *properties)
         return false;
     face->tmpLogClusters = tmpLogClusters;
 
+    const int itemLength = item->item.length;
+    assert(itemLength > 0);
     for (int i = 0; i < face->length; ++i) {
         hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properties[i] : 0, i);
         face->tmpAttributes[i] = item->attributes[i];
-        face->tmpLogClusters[i] = item->log_clusters[i];
+        face->tmpLogClusters[i] = i < itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1];
     }
 
 #ifdef OT_DEBUG