From 6363d7df28dc4307ef1abb9857d14c35e656b85a Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 20 Jul 2016 01:43:56 -0700
Subject: [PATCH] Clean up buffer area when rewinding

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=614647
If allocation fails, we might be leaving junk behind.  At least
clear it up.
---
 src/hb-buffer.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index 4552d15cd..3940a3dbf 100644
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -183,6 +183,12 @@ hb_buffer_t::shift_forward (unsigned int count)
   if (unlikely (!ensure (len + count))) return false;
 
   memmove (info + idx + count, info + idx, (len - idx) * sizeof (info[0]));
+  if (idx + count > len)
+  {
+    /* Under memory failure we might expose this area.  At least
+     * clean it up.  Oh well... */
+    memset (info + len, 0, (idx + count - len) * sizeof (info[0]));
+  }
   len += count;
   idx += count;
 
@@ -426,6 +432,8 @@ hb_buffer_t::move_to (unsigned int i)
     /* Tricky part: rewinding... */
     unsigned int count = out_len - i;
 
+    /* This will blow in our face if memory allocation fails later
+     * in this same lookup... */
     if (unlikely (idx < count && !shift_forward (count + 32))) return false;
 
     assert (idx >= count);