Fail blob creation if length overflows or is too large
Fail if blob start plus length overflows; or if blob length is greater than 2GB. It takes a while for fonts to get to that size. In the mean time, it protects against bugs like this: http://www.icu-project.org/trac/ticket/11450 Also avoids some weird issues with 32bit vs 64bit systems as we accept length as unsigned int. As such, a length of -1 will cause overflow on 32bit machines, but happily accepted on a 64bit machine. Avoid that.
This commit is contained in:
parent
d5a5052098
commit
7d5e7613ce
|
@ -102,7 +102,10 @@ hb_blob_create (const char *data,
|
||||||
{
|
{
|
||||||
hb_blob_t *blob;
|
hb_blob_t *blob;
|
||||||
|
|
||||||
if (!length || !(blob = hb_object_create<hb_blob_t> ())) {
|
if (!length ||
|
||||||
|
length >= 1u << 31 ||
|
||||||
|
data + length < data /* overflows */ ||
|
||||||
|
!(blob = hb_object_create<hb_blob_t> ())) {
|
||||||
if (destroy)
|
if (destroy)
|
||||||
destroy (user_data);
|
destroy (user_data);
|
||||||
return hb_blob_get_empty ();
|
return hb_blob_get_empty ();
|
||||||
|
|
|
@ -53,6 +53,9 @@ test_blob_empty (void)
|
||||||
g_assert (hb_blob_is_immutable (hb_blob_get_empty ()));
|
g_assert (hb_blob_is_immutable (hb_blob_get_empty ()));
|
||||||
g_assert (hb_blob_get_empty () != NULL);
|
g_assert (hb_blob_get_empty () != NULL);
|
||||||
g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
|
g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
|
||||||
|
g_assert (hb_blob_get_empty () == hb_blob_create ("asdf", 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
|
||||||
|
g_assert (hb_blob_get_empty () == hb_blob_create (NULL, -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
|
||||||
|
g_assert (hb_blob_get_empty () == hb_blob_create ("asdfg", -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
|
||||||
|
|
||||||
blob = hb_blob_get_empty ();
|
blob = hb_blob_get_empty ();
|
||||||
g_assert (blob == hb_blob_get_empty ());
|
g_assert (blob == hb_blob_get_empty ());
|
||||||
|
|
Loading…
Reference in New Issue