From 7763a6a02fcd4479111530b64b9f6e00899aad2d Mon Sep 17 00:00:00 2001 From: "bashi@chromium.org" Date: Fri, 29 Jul 2011 01:58:29 +0000 Subject: OOB read in harfbuzz with khmer character. Sets face->tmpLogClusters[i] to the last valid value of |item->log_clusters| when |i| exceeds the size of the |item->log_clusters|. BUG=90134 TEST=checked with ASAN and ran webkit/tools/layout_tests/run_webkit_tests.sh Review URL: http://codereview.chromium.org/7465036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@94616 0039d316-1c4b-4281-b951-d872f2087c98 --- third_party/harfbuzz/chromium.patch | 41 ++++++++++++++++++---------- third_party/harfbuzz/src/harfbuzz-shaper.cpp | 4 ++- 2 files changed, 30 insertions(+), 15 deletions(-) (limited to 'third_party') diff --git a/third_party/harfbuzz/chromium.patch b/third_party/harfbuzz/chromium.patch index 0705356..2923e6e 100644 --- a/third_party/harfbuzz/chromium.patch +++ b/third_party/harfbuzz/chromium.patch @@ -14,8 +14,22 @@ index 51dd4ea..cb7a85b 100644 continue; } else { *iter = prev_iter; +diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c +index 356dc01..db5ea0a 100644 +--- a/src/harfbuzz-gpos.c ++++ b/src/harfbuzz-gpos.c +@@ -2976,6 +2976,9 @@ static HB_Error Lookup_MarkMarkPos( GPOS_Instance* gpi, + j--; + } + ++ if ( i > buffer->in_pos ) ++ return HB_Err_Not_Covered; ++ + error = _HB_OPEN_Coverage_Index( &mmp->Mark2Coverage, IN_GLYPH( j ), + &mark2_index ); + if ( error ) diff --git a/src/harfbuzz-shaper.cpp b/src/harfbuzz-shaper.cpp -index f3ec8e1..2b0dfde 100644 +index f3ec8e1..2b52221 100644 --- a/src/harfbuzz-shaper.cpp +++ b/src/harfbuzz-shaper.cpp @@ -433,7 +433,7 @@ void HB_HeuristicSetGlyphAttributes(HB_ShaperItem *item) @@ -35,17 +49,16 @@ index f3ec8e1..2b0dfde 100644 // first char in a run is never (treated as) a mark int cStart = 0; -diff --git a/src/harfbuzz-gpos.c b/src/harfbuzz-gpos.c -index 356dc01..db5ea0a 100644 ---- a/src/harfbuzz-gpos.c -+++ b/src/harfbuzz-gpos.c -@@ -2976,6 +2976,9 @@ static HB_Error Lookup_MarkMarkPos( GPOS_Instance* gpi, - j--; - } +@@ -1151,10 +1150,11 @@ HB_Bool HB_OpenTypeShape(HB_ShaperItem *item, const hb_uint32 *properties) + return false; + face->tmpLogClusters = tmpLogClusters; -+ if ( i > buffer->in_pos ) -+ return HB_Err_Not_Covered; -+ - error = _HB_OPEN_Coverage_Index( &mmp->Mark2Coverage, IN_GLYPH( j ), - &mark2_index ); - if ( error ) ++ const int itemLength = item->item.length; + for (int i = 0; i < face->length; ++i) { + hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properties[i] : 0, i); + face->tmpAttributes[i] = item->attributes[i]; +- face->tmpLogClusters[i] = item->log_clusters[i]; ++ face->tmpLogClusters[i] = i < itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1]; + } + + #ifdef OT_DEBUG diff --git a/third_party/harfbuzz/src/harfbuzz-shaper.cpp b/third_party/harfbuzz/src/harfbuzz-shaper.cpp index f1606e6..db9954f 100644 --- a/third_party/harfbuzz/src/harfbuzz-shaper.cpp +++ b/third_party/harfbuzz/src/harfbuzz-shaper.cpp @@ -1150,10 +1150,12 @@ HB_Bool HB_OpenTypeShape(HB_ShaperItem *item, const hb_uint32 *properties) return false; face->tmpLogClusters = tmpLogClusters; + const int itemLength = item->item.length; + assert(itemLength > 0); for (int i = 0; i < face->length; ++i) { hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properties[i] : 0, i); face->tmpAttributes[i] = item->attributes[i]; - face->tmpLogClusters[i] = item->log_clusters[i]; + face->tmpLogClusters[i] = i < itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1]; } #ifdef OT_DEBUG -- cgit v1.1