[HarfBuzz] harfbuzz: Branch 'master' - 2 commits

Behdad Esfahbod behdad at kemper.freedesktop.org
Thu Dec 18 18:24:13 PST 2014 

 src/hb-blob.cc              |    5 ++++-
 src/hb-open-type-private.hh |    1 +
 test/api/test-blob.c        |    3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

New commits:
commit 7d5e7613ced3dd39d05df83ca7e8952cbecd68f6
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Dec 18 18:22:21 2014 -0800

    Fail blob creation if length overflows or is too large
    
    Fail if blob start plus length overflows; or if blob length
    is greater than 2GB.  It takes a while for fonts to get to that
    size.  In the mean time, it protects against bugs like this:
    
      http://www.icu-project.org/trac/ticket/11450
    
    Also avoids some weird issues with 32bit vs 64bit systems
    as we accept length as unsigned int.  As such, a length of
    -1 will cause overflow on 32bit machines, but happily
    accepted on a 64bit machine.  Avoid that.

diff --git a/src/hb-blob.cc b/src/hb-blob.cc
index b82b4b2..4437930 100644
--- a/src/hb-blob.cc
+++ b/src/hb-blob.cc
@@ -102,7 +102,10 @@ hb_blob_create (const char        *data,
 {
   hb_blob_t *blob;
 
-  if (!length || !(blob = hb_object_create<hb_blob_t> ())) {
+  if (!length ||
+      length >= 1u << 31 ||
+      data + length < data /* overflows */ ||
+      !(blob = hb_object_create<hb_blob_t> ())) {
     if (destroy)
       destroy (user_data);
     return hb_blob_get_empty ();
diff --git a/test/api/test-blob.c b/test/api/test-blob.c
index bbb7e2e..f671331 100644
--- a/test/api/test-blob.c
+++ b/test/api/test-blob.c
@@ -53,6 +53,9 @@ test_blob_empty (void)
   g_assert (hb_blob_is_immutable (hb_blob_get_empty ()));
   g_assert (hb_blob_get_empty () != NULL);
   g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create ("asdf", 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create (NULL, -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create ("asdfg", -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
 
   blob = hb_blob_get_empty ();
   g_assert (blob == hb_blob_get_empty ());
commit d5a5052098b0aa79ff55c235e61a9db477c4120f
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Thu Dec 18 18:09:41 2014 -0800

    Assert that blob length doesn't overflow address.
    
    This will crash now, if blob was created with wrong length.
    Check for that coming next commit.

diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh
index 5616f04..477d9e2 100644
--- a/src/hb-open-type-private.hh
+++ b/src/hb-open-type-private.hh
@@ -194,6 +194,7 @@ struct hb_sanitize_context_t
   {
     this->start = hb_blob_get_data (this->blob, NULL);
     this->end = this->start + hb_blob_get_length (this->blob);
+    assert (this->start <= this->end); /* Must not overflow. */
     this->edit_count = 0;
     this->debug_depth = 0;

More information about the HarfBuzz mailing list