Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(525)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 868393002: Fix a buffer overflow in blink::HarfBuzzShaper::resolveCandidateRuns() (Closed)

Created:
5 years, 11 months ago by Evangelos Foutras
Modified:
5 years, 11 months ago
Reviewers:
behdad, eae, dglazkov
CC:
blink-reviews, Dominik Röttsches, krit, Rik, dshwang, jbroman, Justin Novosad, danakj, pdr+graphicswatchlist_chromium.org, f(malita), Stephen Chennney, rwlbuis, behdad, dglazkov
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Target Ref:
refs/heads/master
Project:
blink
Visibility:
Public.

Description

Fix a buffer overflow in blink::HarfBuzzShaper::resolveCandidateRuns() The capacity value passed to uscript_getScriptExtensions() is incorrectly calculated as sizeof(scriptExtensions). This results in a buffer overflow when ICU returns more than 8 script codes. Fix the above issue by correctly passing the number of elements the scriptExtensions array can hold as the capacity parameter. Additionally, expand the scriptExtensions array to USCRIPT_CODE_LIMIT elements, to account for extra script codes returned by ICU 54.1. Note: USCRIPT_CODE_LIMIT is probably much larger than the maximum number of scripts that ICU will return. For example, ICU 54.1 specifies USCRIPT_CODE_LIMIT to be 167, while the maximum value returned by uscript_getScriptExtensions() is 17 (for code points in 0..0x10ffff). We could use a much smaller array, but in the case it becomes insufficient in the future, the U_BUFFER_OVERFLOW_ERROR error returned by ICU would be silently ignored. BUG=445075 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=188995

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+3 lines, -2 lines) Patch
M Source/platform/fonts/shaping/HarfBuzzShaper.cpp View 2 chunks +3 lines, -2 lines 0 comments Download

Messages

Total messages: 13 (5 generated)
Evangelos Foutras
Sorry if I have added wrong reviewers and/or CC recipients. (I took the reviewers from ...
5 years, 11 months ago (2015-01-25 09:03:12 UTC) #2
eae
LGTM
5 years, 11 months ago (2015-01-26 18:28:02 UTC) #4
eae
167 seems a bit excessive but I suppose it is better than hard coding a ...
5 years, 11 months ago (2015-01-26 18:29:09 UTC) #5
Evangelos Foutras
On 2015/01/26 18:29:09, eae wrote: > 167 seems a bit excessive but I suppose it ...
5 years, 11 months ago (2015-01-26 18:30:55 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/868393002/1
5 years, 11 months ago (2015-01-26 20:05:59 UTC) #8
commit-bot: I haz the power
Try jobs failed on following builders: win_blink_rel on tryserver.blink (http://build.chromium.org/p/tryserver.blink/builders/win_blink_rel/builds/47812)
5 years, 11 months ago (2015-01-26 21:55:25 UTC) #10
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/868393002/1
5 years, 11 months ago (2015-01-26 22:20:56 UTC) #12
commit-bot: I haz the power
5 years, 11 months ago (2015-01-26 23:01:10 UTC) #13
Message was sent while issue was closed. 
Committed patchset #1 (id:1) as
https://src.chromium.org/viewvc/blink?view=rev&revision=188995

Powered by Google App Engine
This is Rietveld 408576698