DescriptionFix a buffer overflow in blink::HarfBuzzShaper::resolveCandidateRuns()
The capacity value passed to uscript_getScriptExtensions() is
incorrectly calculated as sizeof(scriptExtensions). This results in a
buffer overflow when ICU returns more than 8 script codes.
Fix the above issue by correctly passing the number of elements the
scriptExtensions array can hold as the capacity parameter.
Additionally, expand the scriptExtensions array to USCRIPT_CODE_LIMIT
elements, to account for extra script codes returned by ICU 54.1.
Note: USCRIPT_CODE_LIMIT is probably much larger than the maximum number
of scripts that ICU will return. For example, ICU 54.1 specifies
USCRIPT_CODE_LIMIT to be 167, while the maximum value returned by
uscript_getScriptExtensions() is 17 (for code points in 0..0x10ffff).
We could use a much smaller array, but in the case it becomes
insufficient in the future, the U_BUFFER_OVERFLOW_ERROR error
returned by ICU would be silently ignored.
BUG=445075
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=188995
Patch Set 1 #
Messages
Total messages: 13 (5 generated)
|