Limit buffer max size growth
https://github.com/behdad/harfbuzz/issues/161
This commit is contained in:
Behdad Esfahbod
parent
19300183a6
commit
4301703bdd
|
|
@ -35,6 +35,16 @@
|
|||
#include "hb-unicode-private.hh"
|
||||
|
||||
|
||||
#ifndef HB_BUFFER_MAX_EXPANSION_FACTOR
|
||||
#define HB_BUFFER_MAX_EXPANSION_FACTOR 32
|
||||
#endif
|
||||
#ifndef HB_BUFFER_MAX_LEN_MIN
|
||||
#define HB_BUFFER_MAX_LEN_MIN 8192
|
||||
#endif
|
||||
#ifndef HB_BUFFER_MAX_LEN_DEFAULT_
|
||||
#define HB_BUFFER_MAX_LEN_DEFAULT 0x3FFFFFFF /* Shaping more than a billion chars? Let us know! */
|
||||
#endif
|
||||
|
||||
ASSERT_STATIC (sizeof (hb_glyph_info_t) == 20);
|
||||
ASSERT_STATIC (sizeof (hb_glyph_info_t) == sizeof (hb_glyph_position_t));
|
||||
|
||||
|
|
@ -71,6 +81,7 @@ struct hb_buffer_t {
|
|||
hb_buffer_cluster_level_t cluster_level;
|
||||
hb_codepoint_t replacement; /* U+FFFD or something else. */
|
||||
hb_buffer_scratch_flags_t scratch_flags; /* Have space-flallback, etc. */
|
||||
unsigned int max_len; /* Maximum allowed len. */
|
||||
|
||||
/* Buffer contents */
|
||||
hb_buffer_content_type_t content_type;
|
||||
|
|
|
|||
|
|
@ -91,6 +91,11 @@ hb_buffer_t::enlarge (unsigned int size)
|
|||
{
|
||||
if (unlikely (in_error))
|
||||
return false;
|
||||
if (unlikely (size > max_len))
|
||||
{
|
||||
in_error = true;
|
||||
return false;
|
||||
}
|
||||
|
||||
unsigned int new_allocated = allocated;
|
||||
hb_glyph_position_t *new_pos = NULL;
|
||||
|
|
@ -715,6 +720,8 @@ hb_buffer_create (void)
|
|||
if (!(buffer = hb_object_create<hb_buffer_t> ()))
|
||||
return hb_buffer_get_empty ();
|
||||
|
||||
buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
|
||||
|
||||
buffer->reset ();
|
||||
|
||||
return buffer;
|
||||
|
|
@ -740,6 +747,7 @@ hb_buffer_get_empty (void)
|
|||
HB_BUFFER_CLUSTER_LEVEL_DEFAULT,
|
||||
HB_BUFFER_REPLACEMENT_CODEPOINT_DEFAULT,
|
||||
HB_BUFFER_SCRATCH_FLAG_DEFAULT,
|
||||
HB_BUFFER_MAX_LEN_DEFAULT,
|
||||
|
||||
HB_BUFFER_CONTENT_TYPE_INVALID,
|
||||
HB_SEGMENT_PROPERTIES_DEFAULT,
|
||||
|
|
|
|||
|
|
@ -798,6 +798,11 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
|
|||
{
|
||||
c->buffer->deallocate_var_all ();
|
||||
c->buffer->scratch_flags = HB_BUFFER_SCRATCH_FLAG_DEFAULT;
|
||||
if (likely (!_hb_unsigned_int_mul_overflows (c->buffer->len, HB_BUFFER_MAX_EXPANSION_FACTOR)))
|
||||
{
|
||||
c->buffer->max_len = MAX (c->buffer->len * HB_BUFFER_MAX_EXPANSION_FACTOR,
|
||||
(unsigned) HB_BUFFER_MAX_LEN_MIN);
|
||||
}
|
||||
|
||||
/* Save the original direction, we use it later. */
|
||||
c->target_direction = c->buffer->props.direction;
|
||||
|
|
@ -827,6 +832,7 @@ hb_ot_shape_internal (hb_ot_shape_context_t *c)
|
|||
|
||||
c->buffer->props.direction = c->target_direction;
|
||||
|
||||
c->buffer->max_len = HB_BUFFER_MAX_LEN_DEFAULT;
|
||||
c->buffer->deallocate_var_all ();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,8 @@ hb_fuzzer_CPPFLAGS = \
|
|||
-DMAIN \
|
||||
-DHB_MAX_NESTING_LEVEL=3 \
|
||||
-DHB_SANITIZE_MAX_EDITS=3 \
|
||||
-DHB_BUFFER_MAX_EXPANSION_FACTOR=3 \
|
||||
-DHB_BUFFER_MAX_LEN_MIN=8 \
|
||||
$(NULL)
|
||||
|
||||
-include $(top_srcdir)/git.mk
|
||||
|
|
|
|||
Loading…
Reference in New Issue