pool/pango
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ad3be6bd9d
pango/pango-CVE-2011-0064.patch

187 lines
6.1 KiB
Diff
Raw Blame History

From 3104961bc0ffaf847d2a1e116e6de4fdc1cd8ada Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 2 Dec 2010 16:00:46 +1300
Subject: [PATCH] Handle realloc failure in the buffer
Ported from http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e
by Karl Tomlinson <karlt+@karlt.net>
---
pango/opentype/hb-buffer-private.h | 1 +
pango/opentype/hb-buffer.c | 70 +++++++++++++++++++++---------------
pango/opentype/hb-buffer.h | 2 +-
3 files changed, 43 insertions(+), 30 deletions(-)
diff --git a/pango/opentype/hb-buffer-private.h b/pango/opentype/hb-buffer-private.h
index 45cdc4d..f194786 100644
--- a/pango/opentype/hb-buffer-private.h
+++ b/pango/opentype/hb-buffer-private.h
@@ -72,6 +72,7 @@ struct _hb_buffer_t {
unsigned int allocated;
hb_bool_t have_output; /* weather we have an output buffer going on */
+ hb_bool_t in_error; /* Allocation failed */
unsigned int in_length;
unsigned int out_length;
unsigned int in_pos;
diff --git a/pango/opentype/hb-buffer.c b/pango/opentype/hb-buffer.c
index 93b51e5..e9788ad 100644
--- a/pango/opentype/hb-buffer.c
+++ b/pango/opentype/hb-buffer.c
@@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = {
* in_string and out_string.
*/
-/* XXX err handling */
-
/* Internal API */
-static void
+static hb_bool_t
hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
{
- hb_buffer_ensure (buffer, size);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
if (buffer->out_string == buffer->in_string)
{
assert (buffer->have_output);
- if (!buffer->positions)
- buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0]));
buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0]));
}
+
+ return TRUE;
}
/* Public API */
@@ -114,6 +112,7 @@ void
hb_buffer_clear (hb_buffer_t *buffer)
{
buffer->have_output = FALSE;
+ buffer->in_error = FALSE;
buffer->in_length = 0;
buffer->out_length = 0;
buffer->in_pos = 0;
@@ -122,32 +121,42 @@ hb_buffer_clear (hb_buffer_t *buffer)
buffer->max_lig_id = 0;
}
-void
+hb_bool_t
hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
{
- unsigned int new_allocated = buffer->allocated;
-
- if (size > new_allocated)
+ if (HB_UNLIKELY (size > buffer->allocated))
{
+ unsigned int new_allocated = buffer->allocated;
+ hb_internal_glyph_position_t *new_pos;
+ hb_internal_glyph_info_t *new_info;
+ hb_bool_t separate_out;
+
+ if (HB_UNLIKELY (buffer->in_error))
+ return FALSE;
+
+ separate_out = buffer->out_string != buffer->in_string;
+
while (size > new_allocated)
new_allocated += (new_allocated >> 1) + 8;
- if (buffer->positions)
- buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
+ new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0]));
+ new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
- if (buffer->out_string != buffer->in_string)
- {
- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
- buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
- }
- else
- {
- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0]));
- buffer->out_string = buffer->in_string;
- }
+ if (HB_UNLIKELY (!new_pos || !new_info))
+ buffer->in_error = TRUE;
+
+ if (HB_LIKELY (new_pos))
+ buffer->positions = new_pos;
- buffer->allocated = new_allocated;
+ if (HB_LIKELY (new_info))
+ buffer->in_string = new_info;
+
+ buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string;
+ if (HB_LIKELY (!buffer->in_error))
+ buffer->allocated = new_allocated;
}
+
+ return HB_LIKELY (!buffer->in_error);
}
void
@@ -158,7 +167,7 @@ hb_buffer_add_glyph (hb_buffer_t *buffer,
{
hb_internal_glyph_info_t *glyph;
- hb_buffer_ensure (buffer, buffer->in_length + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;
glyph = &buffer->in_string[buffer->in_length];
glyph->codepoint = codepoint;
@@ -213,6 +222,8 @@ _hb_buffer_swap (hb_buffer_t *buffer)
assert (buffer->have_output);
+ if (HB_UNLIKELY (buffer->in_error)) return;
+
if (buffer->out_string != buffer->in_string)
{
hb_internal_glyph_info_t *tmp_string;
@@ -265,7 +276,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_t *buffer,
if (buffer->out_string != buffer->in_string ||
buffer->out_pos + num_out > buffer->in_pos + num_in)
{
- hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
+ if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out)))
+ return;
}
mask = buffer->in_string[buffer->in_pos].mask;
@@ -302,7 +314,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t *buffer,
if (buffer->out_string != buffer->in_string)
{
- hb_buffer_ensure (buffer, buffer->out_pos + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
}
else if (buffer->out_pos != buffer->in_pos)
@@ -332,7 +344,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buffer)
if (buffer->out_string != buffer->in_string)
{
- hb_buffer_ensure (buffer, buffer->out_pos + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
}
else if (buffer->out_pos != buffer->in_pos)
diff --git a/pango/opentype/hb-buffer.h b/pango/opentype/hb-buffer.h
index b030ba9..aaf6694 100644
--- a/pango/opentype/hb-buffer.h
+++ b/pango/opentype/hb-buffer.h
@@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer);
void
hb_buffer_clear_positions (hb_buffer_t *buffer);
-void
+hb_bool_t
hb_buffer_ensure (hb_buffer_t *buffer,
unsigned int size);
--
1.7.2.2
Reference in New Issue View Git Blame Copy Permalink