src/hb-blob.cc | 5 ++++- src/hb-open-type-private.hh | 1 + test/api/test-blob.c | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-)
New commits: commit 7d5e7613ced3dd39d05df83ca7e8952cbecd68f6 Author: Behdad Esfahbod <[email protected]> Date: Thu Dec 18 18:22:21 2014 -0800 Fail blob creation if length overflows or is too large Fail if blob start plus length overflows; or if blob length is greater than 2GB. It takes a while for fonts to get to that size. In the mean time, it protects against bugs like this: http://www.icu-project.org/trac/ticket/11450 Also avoids some weird issues with 32bit vs 64bit systems as we accept length as unsigned int. As such, a length of -1 will cause overflow on 32bit machines, but happily accepted on a 64bit machine. Avoid that. diff --git a/src/hb-blob.cc b/src/hb-blob.cc index b82b4b2..4437930 100644 --- a/src/hb-blob.cc +++ b/src/hb-blob.cc @@ -102,7 +102,10 @@ hb_blob_create (const char *data, { hb_blob_t *blob; - if (!length || !(blob = hb_object_create<hb_blob_t> ())) { + if (!length || + length >= 1u << 31 || + data + length < data /* overflows */ || + !(blob = hb_object_create<hb_blob_t> ())) { if (destroy) destroy (user_data); return hb_blob_get_empty (); diff --git a/test/api/test-blob.c b/test/api/test-blob.c index bbb7e2e..f671331 100644 --- a/test/api/test-blob.c +++ b/test/api/test-blob.c @@ -53,6 +53,9 @@ test_blob_empty (void) g_assert (hb_blob_is_immutable (hb_blob_get_empty ())); g_assert (hb_blob_get_empty () != NULL); g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create ("asdf", 0, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create (NULL, -1, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create ("asdfg", -1, HB_MEMORY_MODE_READONLY, NULL, NULL)); blob = hb_blob_get_empty (); g_assert (blob == hb_blob_get_empty ()); commit d5a5052098b0aa79ff55c235e61a9db477c4120f Author: Behdad Esfahbod <[email protected]> Date: Thu Dec 18 18:09:41 2014 -0800 Assert that blob length doesn't overflow address. This will crash now, if blob was created with wrong length. Check for that coming next commit. diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh index 5616f04..477d9e2 100644 --- a/src/hb-open-type-private.hh +++ b/src/hb-open-type-private.hh @@ -194,6 +194,7 @@ struct hb_sanitize_context_t { this->start = hb_blob_get_data (this->blob, NULL); this->end = this->start + hb_blob_get_length (this->blob); + assert (this->start <= this->end); /* Must not overflow. */ this->edit_count = 0; this->debug_depth = 0; _______________________________________________ HarfBuzz mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/harfbuzz
