From b103b5975f6ac1b1b491510b8246091f160d9013 Mon Sep 17 00:00:00 2001 From: "bashi@chromium.org" Date: Thu, 8 Sep 2011 05:11:08 +0000 Subject: OOB read in tibetan_nextSyllableBoundary Avoid refering tibetanForm table when the character is out of its range. BUG=95563 TEST=manually tested with ASAN Review URL: http://codereview.chromium.org/7841023 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@100106 0039d316-1c4b-4281-b951-d872f2087c98 --- third_party/harfbuzz/chromium.patch | 13 +++++++++++++ third_party/harfbuzz/src/harfbuzz-tibetan.c | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'third_party') diff --git a/third_party/harfbuzz/chromium.patch b/third_party/harfbuzz/chromium.patch index d9c87c8..84fe509 100644 --- a/third_party/harfbuzz/chromium.patch +++ b/third_party/harfbuzz/chromium.patch @@ -134,3 +134,16 @@ index ab5c07a..72c9aa3 100644 } HB_ShaperFlag; /* +diff --git a/src/harfbuzz-tibetan.c b/src/harfbuzz-tibetan.c +index bfa31b1..847ac52 100644 +--- a/src/harfbuzz-tibetan.c ++++ b/src/harfbuzz-tibetan.c +@@ -90,7 +90,7 @@ static const unsigned char tibetanForm[0x80] = { + + + #define tibetan_form(c) \ +- (TibetanForm)tibetanForm[c - 0x0f40] ++ ((c) >= 0x0f40 && (c) <= 0x0fc0 ? (TibetanForm)tibetanForm[(c) - 0x0f40] : TibetanOther) + + static const HB_OpenTypeFeature tibetan_features[] = { + { HB_MAKE_TAG('c', 'c', 'm', 'p'), CcmpProperty }, diff --git a/third_party/harfbuzz/src/harfbuzz-tibetan.c b/third_party/harfbuzz/src/harfbuzz-tibetan.c index bfa31b1d..847ac52 100644 --- a/third_party/harfbuzz/src/harfbuzz-tibetan.c +++ b/third_party/harfbuzz/src/harfbuzz-tibetan.c @@ -90,7 +90,7 @@ static const unsigned char tibetanForm[0x80] = { #define tibetan_form(c) \ - (TibetanForm)tibetanForm[c - 0x0f40] + ((c) >= 0x0f40 && (c) <= 0x0fc0 ? (TibetanForm)tibetanForm[(c) - 0x0f40] : TibetanOther) static const HB_OpenTypeFeature tibetan_features[] = { { HB_MAKE_TAG('c', 'c', 'm', 'p'), CcmpProperty }, -- cgit v1.1