Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/harfbuzz/src/harfbuzz-shaper.cpp

Issue 7465036: OOB read in harfbuzz with khmer character. (Closed) Base URL: http://git.chromium.org/git/chromium.git@trunk
Patch Set: Created 9 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « third_party/harfbuzz/chromium.patch ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 2 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
3 * 3 *
4 * This is part of HarfBuzz, an OpenType Layout engine library. 4 * This is part of HarfBuzz, an OpenType Layout engine library.
5 * 5 *
6 * Permission is hereby granted, without written agreement and without 6 * Permission is hereby granted, without written agreement and without
7 * license or royalty fees, to use, copy, modify, and distribute this 7 * license or royalty fees, to use, copy, modify, and distribute this
8 * software and its documentation for any purpose, provided that the 8 * software and its documentation for any purpose, provided that the
9 * above copyright notice and the following two paragraphs appear in 9 * above copyright notice and the following two paragraphs appear in
10 * all copies of this software. 10 * all copies of this software.
(...skipping 1132 matching lines...) Expand 10 before | Expand all | Expand 10 after
1143 tmpAttributes = (HB_GlyphAttributes *) realloc(face->tmpAttributes, face->le ngth*sizeof(HB_GlyphAttributes)); 1143 tmpAttributes = (HB_GlyphAttributes *) realloc(face->tmpAttributes, face->le ngth*sizeof(HB_GlyphAttributes));
1144 if (!tmpAttributes) 1144 if (!tmpAttributes)
1145 return false; 1145 return false;
1146 face->tmpAttributes = tmpAttributes; 1146 face->tmpAttributes = tmpAttributes;
1147 1147
1148 tmpLogClusters = (unsigned int *) realloc(face->tmpLogClusters, face->length *sizeof(unsigned int)); 1148 tmpLogClusters = (unsigned int *) realloc(face->tmpLogClusters, face->length *sizeof(unsigned int));
1149 if (!tmpLogClusters) 1149 if (!tmpLogClusters)
1150 return false; 1150 return false;
1151 face->tmpLogClusters = tmpLogClusters; 1151 face->tmpLogClusters = tmpLogClusters;
1152 1152
1153 const int itemLength = item->item.length;
1153 for (int i = 0; i < face->length; ++i) { 1154 for (int i = 0; i < face->length; ++i) {
1154 hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properti es[i] : 0, i); 1155 hb_buffer_add_glyph(face->buffer, item->glyphs[i], properties ? properti es[i] : 0, i);
1155 face->tmpAttributes[i] = item->attributes[i]; 1156 face->tmpAttributes[i] = item->attributes[i];
1156 face->tmpLogClusters[i] = item->log_clusters[i]; 1157 face->tmpLogClusters[i] = i < itemLength ? item->log_clusters[i] : item- >log_clusters[itemLength - 1];
agl 2011/07/26 14:21:38 What happens if |itemLength| is zero? Is this impo
bashi 2011/07/27 03:24:01 I think |itemLength| is always greater than zero.
1157 } 1158 }
1158 1159
1159 #ifdef OT_DEBUG 1160 #ifdef OT_DEBUG
1160 DEBUG("-----------------------------------------"); 1161 DEBUG("-----------------------------------------");
1161 // DEBUG("log clusters before shaping:"); 1162 // DEBUG("log clusters before shaping:");
1162 // for (int j = 0; j < length; j++) 1163 // for (int j = 0; j < length; j++)
1163 // DEBUG(" log[%d] = %d", j, item->log_clusters[j]); 1164 // DEBUG(" log[%d] = %d", j, item->log_clusters[j]);
1164 DEBUG("original glyphs: %p", item->glyphs); 1165 DEBUG("original glyphs: %p", item->glyphs);
1165 for (int i = 0; i < length; ++i) 1166 for (int i = 0; i < length; ++i)
1166 DEBUG(" glyph=%4x", hb_buffer->in_string[i].gindex); 1167 DEBUG(" glyph=%4x", hb_buffer->in_string[i].gindex);
(...skipping 181 matching lines...) Expand 10 before | Expand all | Expand 10 after
1348 if (shaper_item->num_glyphs < shaper_item->item.length) { 1349 if (shaper_item->num_glyphs < shaper_item->item.length) {
1349 shaper_item->num_glyphs = shaper_item->item.length; 1350 shaper_item->num_glyphs = shaper_item->item.length;
1350 return false; 1351 return false;
1351 } 1352 }
1352 assert(shaper_item->item.script < HB_ScriptCount); 1353 assert(shaper_item->item.script < HB_ScriptCount);
1353 result = HB_ScriptEngines[shaper_item->item.script].shape(shaper_item); 1354 result = HB_ScriptEngines[shaper_item->item.script].shape(shaper_item);
1354 shaper_item->glyphIndicesPresent = false; 1355 shaper_item->glyphIndicesPresent = false;
1355 return result; 1356 return result;
1356 } 1357 }
1357 1358
OLDNEW
« no previous file with comments | « third_party/harfbuzz/chromium.patch ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698