[HarfBuzz] harfbuzz: Branch 'master'
Behdad Esfahbod
behdad at kemper.freedesktop.org
Wed Jul 20 08:44:53 UTC 2016
src/hb-buffer.cc | 8 ++++++++
1 file changed, 8 insertions(+)
New commits:
commit 6363d7df28dc4307ef1abb9857d14c35e656b85a
Author: Behdad Esfahbod <behdad at behdad.org>
Date: Wed Jul 20 01:43:56 2016 -0700
Clean up buffer area when rewinding
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=614647
If allocation fails, we might be leaving junk behind. At least
clear it up.
diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index 4552d15..3940a3d 100644
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -183,6 +183,12 @@ hb_buffer_t::shift_forward (unsigned int count)
if (unlikely (!ensure (len + count))) return false;
memmove (info + idx + count, info + idx, (len - idx) * sizeof (info[0]));
+ if (idx + count > len)
+ {
+ /* Under memory failure we might expose this area. At least
+ * clean it up. Oh well... */
+ memset (info + len, 0, (idx + count - len) * sizeof (info[0]));
+ }
len += count;
idx += count;
@@ -426,6 +432,8 @@ hb_buffer_t::move_to (unsigned int i)
/* Tricky part: rewinding... */
unsigned int count = out_len - i;
+ /* This will blow in our face if memory allocation fails later
+ * in this same lookup... */
if (unlikely (idx < count && !shift_forward (count + 32))) return false;
assert (idx >= count);
More information about the HarfBuzz
mailing list