OOB read in harfbuzz with khmer character.

OOB read in harfbuzz with khmer character.

Sets face->tmpLogClusters[i] to the last valid value of |item->log_clusters|
when |i| exceeds the size of the |item->log_clusters|.

BUG=90134
TEST=checked with ASAN and ran webkit/tools/layout_tests/run_webkit_tests.sh


Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=94616

[agl, 2011-07-26 14:21:38]

LGTM

http://codereview.chromium.org/7465036/diff/1/third_party/harfbuzz/src/harfbu...
File third_party/harfbuzz/src/harfbuzz-shaper.cpp (right):

http://codereview.chromium.org/7465036/diff/1/third_party/harfbuzz/src/harfbu...
third_party/harfbuzz/src/harfbuzz-shaper.cpp:1157: face->tmpLogClusters[i] = i <
itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1];
What happens if |itemLength| is zero? Is this impossible?

[bashi, 2011-07-27 03:24:01]

Hi agl,

Thank you taking a look.

http://codereview.chromium.org/7465036/diff/1/third_party/harfbuzz/src/harfbu...
File third_party/harfbuzz/src/harfbuzz-shaper.cpp (right):

http://codereview.chromium.org/7465036/diff/1/third_party/harfbuzz/src/harfbu...
third_party/harfbuzz/src/harfbuzz-shaper.cpp:1157: face->tmpLogClusters[i] = i <
itemLength ? item->log_clusters[i] : item->log_clusters[itemLength - 1];
On 2011/07/26 14:21:38, agl wrote:
> What happens if |itemLength| is zero? Is this impossible?

I think |itemLength| is always greater than zero. Added an assertion just in
case.

[commit-bot: I haz the power, 2011-07-29 01:58:31]

Change committed as 94616