Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(989)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/common/child_process_sandbox_support_impl_linux.cc

Issue 12433021: Modify content::GetFontTable so clients can control what is read. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/renderer/pepper/ppb_pdf_impl.cc ('k') | content/public/common/child_process_sandbox_support_linux.h » ('j') | content/public/common/child_process_sandbox_support_linux.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/common/child_process_sandbox_support_impl_linux.cc
diff --git a/content/common/child_process_sandbox_support_impl_linux.cc b/content/common/child_process_sandbox_support_impl_linux.cc
index 984f796f728bb82c76add00c74cf59aef4ec082a..7bdd50bbe4e038dbc62225cddc126f7b2e255a1d 100644
--- a/content/common/child_process_sandbox_support_impl_linux.cc
+++ b/content/common/child_process_sandbox_support_impl_linux.cc
@@ -100,20 +100,22 @@ int MatchFontWithFallback(const std::string& face, bool bold,
}
bool GetFontTable(int fd, uint32_t table, uint8_t* output,
- size_t* output_length) {
+ size_t* output_length, size_t offset) {
if (table == 0) {
struct stat st;
if (fstat(fd, &st) < 0)
return false;
size_t length = st.st_size;
+ if (offset > length)
+ return false;
+ length -= offset;
if (!output) {
*output_length = length;
return true;
}
- if (*output_length < length)
- return false;
+ length = std::min(length, *output_length);
*output_length = length;
- ssize_t n = HANDLE_EINTR(pread(fd, output, length, 0));
+ ssize_t n = HANDLE_EINTR(pread(fd, output, length, offset));
if (n != static_cast<ssize_t>(length))
return false;
return true;
@@ -139,15 +141,15 @@ bool GetFontTable(int fd, uint32_t table, uint8_t* output,
if (n != static_cast<ssize_t>(num_tables * kTableEntrySize))
return false;
- size_t offset;
+ size_t table_offset = 0;
size_t length = 0;
for (unsigned i = 0; i < num_tables; i++) {
const uint8_t* entry = table_entries.get() + i * kTableEntrySize;
if (memcmp(entry, &table, sizeof(table)) == 0) {
- offset = static_cast<size_t>(entry[8]) << 24 |
- static_cast<size_t>(entry[9]) << 16 |
- static_cast<size_t>(entry[10]) << 8 |
- static_cast<size_t>(entry[11]);
+ table_offset = static_cast<size_t>(entry[8]) << 24 |
+ static_cast<size_t>(entry[9]) << 16 |
+ static_cast<size_t>(entry[10]) << 8 |
+ static_cast<size_t>(entry[11]);
length = static_cast<size_t>(entry[12]) << 24 |
static_cast<size_t>(entry[13]) << 16 |
static_cast<size_t>(entry[14]) << 8 |
@@ -157,19 +159,18 @@ bool GetFontTable(int fd, uint32_t table, uint8_t* output,
}
}
- if (!length)
+ if (!length || offset > length)
return false;
+ length -= offset;
if (!output) {
*output_length = length;
return true;
}
- if (*output_length < length)
- return false;
-
+ length = std::min(length, *output_length);
*output_length = length;
- n = HANDLE_EINTR(pread(fd, output, length, offset));
+ n = HANDLE_EINTR(pread(fd, output, length, table_offset + offset));
if (n != static_cast<ssize_t>(length))
return false;
« no previous file with comments | « chrome/renderer/pepper/ppb_pdf_impl.cc ('k') | content/public/common/child_process_sandbox_support_linux.h » ('j') | content/public/common/child_process_sandbox_support_linux.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698