Modify content::GetFontTable so clients can control what is read.

content/common/child_process_sandbox_support_impl_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/child_process_sandbox_support_impl_linux.h"
 
 #include <sys/stat.h>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
@@ skipping 82 matching lines @@
   request.WriteBool(italic);
   request.WriteUInt32(charset);
   uint8_t reply_buf[64];
   int fd = -1;
   UnixDomainSocket::SendRecvMsg(GetSandboxFD(), reply_buf, sizeof(reply_buf),
                                 &fd, request);
   return fd;
 }
 
 bool GetFontTable(int fd, uint32_t table, uint8_t* output,
-                  size_t* output_length) {
+                  size_t* output_length, size_t offset) {
   if (table == 0) {
     struct stat st;
     if (fstat(fd, &st) < 0)
       return false;
     size_t length = st.st_size;
+    if (offset > length)
+      return false;
+    length -= offset;
     if (!output) {
       *output_length = length;
       return true;
     }
-    if (*output_length < length)
-      return false;
+    length = std::min(length, *output_length);
     *output_length = length;
-    ssize_t n = HANDLE_EINTR(pread(fd, output, length, 0));
+    ssize_t n = HANDLE_EINTR(pread(fd, output, length, offset));
     if (n != static_cast<ssize_t>(length))
       return false;
     return true;
   }
 
   unsigned num_tables;
   uint8_t num_tables_buf[2];
 
   ssize_t n = HANDLE_EINTR(pread(fd, &num_tables_buf, sizeof(num_tables_buf),
                            4 /* skip the font type */));
   if (n != sizeof(num_tables_buf))
     return false;
 
   num_tables = static_cast<unsigned>(num_tables_buf[0]) << 8 |
                num_tables_buf[1];
 
   // The size in bytes of an entry in the table directory.
   static const unsigned kTableEntrySize = 16;
   scoped_array<uint8_t> table_entries(
       new uint8_t[num_tables * kTableEntrySize]);
   n = HANDLE_EINTR(pread(fd, table_entries.get(), num_tables * kTableEntrySize,
                          12 /* skip the SFNT header */));
   if (n != static_cast<ssize_t>(num_tables * kTableEntrySize))
     return false;
 
-  size_t offset;
+  size_t table_offset = 0;
   size_t length = 0;
   for (unsigned i = 0; i < num_tables; i++) {
     const uint8_t* entry = table_entries.get() + i * kTableEntrySize;
     if (memcmp(entry, &table, sizeof(table)) == 0) {
-      offset = static_cast<size_t>(entry[8]) << 24 |
-               static_cast<size_t>(entry[9]) << 16 |
-               static_cast<size_t>(entry[10]) << 8  |
-               static_cast<size_t>(entry[11]);
+      table_offset = static_cast<size_t>(entry[8]) << 24 |
+                     static_cast<size_t>(entry[9]) << 16 |
+                     static_cast<size_t>(entry[10]) << 8  |
+                     static_cast<size_t>(entry[11]);
       length = static_cast<size_t>(entry[12]) << 24 |
                static_cast<size_t>(entry[13]) << 16 |
                static_cast<size_t>(entry[14]) << 8  |
                static_cast<size_t>(entry[15]);
 
       break;
     }
   }
 
-  if (!length)
+  if (!length || offset > length)
     return false;
+  length -= offset;
 
   if (!output) {
     *output_length = length;
     return true;
   }
 
-  if (*output_length < length)
-    return false;
-
+  length = std::min(length, *output_length);
   *output_length = length;
-  n = HANDLE_EINTR(pread(fd, output, length, offset));
+  n = HANDLE_EINTR(pread(fd, output, length, table_offset + offset));
   if (n != static_cast<ssize_t>(length))
     return false;
 
   return true;
 }
 
 }  // namespace content