diff options
| author | bashi@chromium.org <bashi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-28 01:57:16 +0000 |
|---|---|---|
| committer | bashi@chromium.org <bashi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-28 01:57:16 +0000 |
| commit | 2953a669ec0a32a25c6250d34bf895ec0eb63d27 (patch) | |
| tree | 5c3dbec7e6c2f82ab87b52eef57a8a1b24a34771 /third_party | |
| parent | e5d549d8889c0533703211652564bc0a55ec9938 (diff) | |
| download | chromium_src-2953a669ec0a32a25c6250d34bf895ec0eb63d27.zip chromium_src-2953a669ec0a32a25c6250d34bf895ec0eb63d27.tar.gz chromium_src-2953a669ec0a32a25c6250d34bf895ec0eb63d27.tar.bz2 | |
Avoid an overflow in harfbuzz-myanmar.c
Adds a guard to prevent invalid assignment.
BUG=108006
TEST=manually with ASAN.
Review URL: http://codereview.chromium.org/8997001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@115859 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/harfbuzz/chromium.patch | 16 | ||||
| -rw-r--r-- | third_party/harfbuzz/src/harfbuzz-myanmar.c | 3 |
2 files changed, 17 insertions, 2 deletions
diff --git a/third_party/harfbuzz/chromium.patch b/third_party/harfbuzz/chromium.patch index d3f405d..57f392e 100644 --- a/third_party/harfbuzz/chromium.patch +++ b/third_party/harfbuzz/chromium.patch @@ -1,5 +1,5 @@ diff --git a/contrib/harfbuzz-unicode.c b/contrib/harfbuzz-unicode.c -index 049e0ca..86458d0 100644 +index ce4f8e2..eeff2b9 100644 --- a/contrib/harfbuzz-unicode.c +++ b/contrib/harfbuzz-unicode.c @@ -120,7 +120,6 @@ hb_utf16_script_run_next(unsigned *num_code_points, HB_ScriptItem *output, @@ -34,6 +34,20 @@ index 3837087..ce2ca6c 100644 #ifndef NO_OPENTYPE if (HB_SelectScript(item, item->item.script == HB_Script_Arabic ? arabic_features : syriac_features)) { +diff --git a/src/harfbuzz-myanmar.c b/src/harfbuzz-myanmar.c +index 4b68e64..f4d6d78 100644 +--- a/src/harfbuzz-myanmar.c ++++ b/src/harfbuzz-myanmar.c +@@ -359,7 +359,8 @@ static HB_Bool myanmar_shape_syllable(HB_Bool openType, HB_ShaperItem *item, HB_ + if (kinzi >= 0 && i > base && (cc & Mymr_CF_AFTER_KINZI)) { + reordered[len] = Mymr_C_NGA; + reordered[len+1] = Mymr_C_VIRAMA; +- properties[len-1] = AboveForm; ++ if (len > 0) ++ properties[len-1] = AboveForm; + properties[len] = AboveForm; + len += 2; + kinzi = -1; diff --git a/src/harfbuzz-shaper.cpp b/src/harfbuzz-shaper.cpp index ce4d4ac..5999e08 100644 --- a/src/harfbuzz-shaper.cpp diff --git a/third_party/harfbuzz/src/harfbuzz-myanmar.c b/third_party/harfbuzz/src/harfbuzz-myanmar.c index 4b68e64..1da5bbf 100644 --- a/third_party/harfbuzz/src/harfbuzz-myanmar.c +++ b/third_party/harfbuzz/src/harfbuzz-myanmar.c @@ -359,7 +359,8 @@ static HB_Bool myanmar_shape_syllable(HB_Bool openType, HB_ShaperItem *item, HB_ if (kinzi >= 0 && i > base && (cc & Mymr_CF_AFTER_KINZI)) { reordered[len] = Mymr_C_NGA; reordered[len+1] = Mymr_C_VIRAMA; - properties[len-1] = AboveForm; + if (len > 0) + properties[len-1] = AboveForm; properties[len] = AboveForm; len += 2; kinzi = -1; |