walkero
/
harfbuzz
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[kerx] Fix integer overflow in multiply 

Fixes https://oss-fuzz.com/v2/testcase-detail/5754863779053568
This commit is contained in:
Behdad Esfahbod 2018-11-12 14:11:29 -05:00
parent 1300f027a9
commit c8f4cc4927
2 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hb-aat-layout-kerx-table.hh
View File

@ -267,7 +267,7 @@ struct KerxSubTableFormat1
unsigned int kern_idx = Format1EntryT::kernActionIndex (entry);
kern_idx = Types::offsetToIndex (kern_idx, &table->machine, kernAction.arrayZ);
const FWORD *actions = &kernAction[kern_idx];
if (!c->sanitizer.check_array (actions, depth * tuple_count))
if (!c->sanitizer.check_array2 (actions, depth, tuple_count))
{
depth = 0;
return false;

29
src/hb-machinery.hh
View File

@ -298,7 +298,8 @@ struct hb_sanitize_context_t :
this->start = this->end = nullptr;
}
inline bool check_range (const void *base, unsigned int len) const
inline bool check_range (const void *base,
unsigned int len) const
{
const char *p = (const char *) base;
bool ok = this->start <= p &&
@ -316,20 +317,22 @@ struct hb_sanitize_context_t :
}
template <typename T>
inline bool check_array (const T *base, unsigned int len, unsigned int record_size = T::static_size) const
inline bool check_array (const T *base,
unsigned int len,
unsigned int record_size = T::static_size) const
{
const char *p = (const char *) base;
bool overflows = hb_unsigned_mul_overflows (len, record_size);
unsigned int array_size = record_size * len;
bool ok = !overflows && this->check_range (base, array_size);
return !hb_unsigned_mul_overflows (len, record_size) &&
this->check_range (base, len * record_size);
}
DEBUG_MSG_LEVEL (SANITIZE, p, this->debug_depth+1, 0,
"check_array [%p..%p] (%d*%d=%d bytes) in [%p..%p] -> %s",
p, p + (record_size * len), record_size, len, (unsigned int) array_size,
this->start, this->end,
overflows ? "OVERFLOWS" : ok ? "OK" : "OUT-OF-RANGE");
return likely (ok);
template <typename T>
inline bool check_array2 (const T *base,
unsigned int a,
unsigned int b,
unsigned int record_size = T::static_size) const
{
return !hb_unsigned_mul_overflows (a, b) &&
this->check_array (base, a * b, record_size);
}
template <typename Type>