Fix possible snprintf OOM

https://bugzilla.redhat.com/show_bug.cgi?id=1001645
This commit is contained in:
Behdad Esfahbod 2013-08-27 11:44:09 -04:00
parent d22548c0e3
commit 38b8b40526
3 changed files with 12 additions and 11 deletions

View File

@ -100,10 +100,10 @@ _hb_buffer_serialize_glyphs_json (hb_buffer_t *buffer,
*p++ = '"'; *p++ = '"';
} }
else else
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), "%u", info[i].codepoint); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), "%u", info[i].codepoint));
if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_CLUSTERS)) { if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_CLUSTERS)) {
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), ",\"cl\":%u", info[i].cluster); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), ",\"cl\":%u", info[i].cluster));
} }
if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_POSITIONS)) if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_POSITIONS))
@ -161,21 +161,21 @@ _hb_buffer_serialize_glyphs_text (hb_buffer_t *buffer,
p += strlen (p); p += strlen (p);
} }
else else
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), "%u", info[i].codepoint); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), "%u", info[i].codepoint));
if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_CLUSTERS)) { if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_CLUSTERS)) {
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), "=%u", info[i].cluster); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), "=%u", info[i].cluster));
} }
if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_POSITIONS)) if (!(flags & HB_BUFFER_SERIALIZE_FLAG_NO_POSITIONS))
{ {
if (pos[i].x_offset || pos[i].y_offset) if (pos[i].x_offset || pos[i].y_offset)
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), "@%d,%d", pos[i].x_offset, pos[i].y_offset); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), "@%d,%d", pos[i].x_offset, pos[i].y_offset));
*p++ = '+'; *p++ = '+';
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), "%d", pos[i].x_advance); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), "%d", pos[i].x_advance));
if (pos->y_advance) if (pos->y_advance)
p += snprintf (p, ARRAY_LENGTH (b) - (p - b), ",%d", pos[i].y_advance); p += MAX (0, snprintf (p, ARRAY_LENGTH (b) - (p - b), ",%d", pos[i].y_advance));
} }
if (buf_size > (p - b)) if (buf_size > (p - b))

View File

@ -426,7 +426,8 @@ struct hb_font_t {
{ {
if (get_glyph_name (glyph, s, size)) return; if (get_glyph_name (glyph, s, size)) return;
snprintf (s, size, "gid%u", glyph); if (size && snprintf (s, size, "gid%u", glyph) < 0)
*s = '\0';
} }
/* Parses gidDDD and uniUUUU strings automatically. */ /* Parses gidDDD and uniUUUU strings automatically. */

View File

@ -181,18 +181,18 @@ hb_feature_to_string (hb_feature_t *feature,
{ {
s[len++] = '['; s[len++] = '[';
if (feature->start) if (feature->start)
len += snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->start); len += MAX (0, snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->start));
if (feature->end != feature->start + 1) { if (feature->end != feature->start + 1) {
s[len++] = ':'; s[len++] = ':';
if (feature->end != (unsigned int) -1) if (feature->end != (unsigned int) -1)
len += snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->end); len += MAX (0, snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->end));
} }
s[len++] = ']'; s[len++] = ']';
} }
if (feature->value > 1) if (feature->value > 1)
{ {
s[len++] = '='; s[len++] = '=';
len += snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->value); len += MAX (0, snprintf (s + len, ARRAY_LENGTH (s) - len, "%d", feature->value));
} }
assert (len < ARRAY_LENGTH (s)); assert (len < ARRAY_LENGTH (s));
len = MIN (len, size - 1); len = MIN (len, size - 1);