From 7d5e7613ced3dd39d05df83ca7e8952cbecd68f6 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Thu, 18 Dec 2014 18:22:21 -0800 Subject: [PATCH] Fail blob creation if length overflows or is too large Fail if blob start plus length overflows; or if blob length is greater than 2GB. It takes a while for fonts to get to that size. In the mean time, it protects against bugs like this: http://www.icu-project.org/trac/ticket/11450 Also avoids some weird issues with 32bit vs 64bit systems as we accept length as unsigned int. As such, a length of -1 will cause overflow on 32bit machines, but happily accepted on a 64bit machine. Avoid that. --- src/hb-blob.cc | 5 ++++- test/api/test-blob.c | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/hb-blob.cc b/src/hb-blob.cc index b82b4b2a3..44379301d 100644 --- a/src/hb-blob.cc +++ b/src/hb-blob.cc @@ -102,7 +102,10 @@ hb_blob_create (const char *data, { hb_blob_t *blob; - if (!length || !(blob = hb_object_create ())) { + if (!length || + length >= 1u << 31 || + data + length < data /* overflows */ || + !(blob = hb_object_create ())) { if (destroy) destroy (user_data); return hb_blob_get_empty (); diff --git a/test/api/test-blob.c b/test/api/test-blob.c index bbb7e2efc..f67133199 100644 --- a/test/api/test-blob.c +++ b/test/api/test-blob.c @@ -53,6 +53,9 @@ test_blob_empty (void) g_assert (hb_blob_is_immutable (hb_blob_get_empty ())); g_assert (hb_blob_get_empty () != NULL); g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create ("asdf", 0, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create (NULL, -1, HB_MEMORY_MODE_READONLY, NULL, NULL)); + g_assert (hb_blob_get_empty () == hb_blob_create ("asdfg", -1, HB_MEMORY_MODE_READONLY, NULL, NULL)); blob = hb_blob_get_empty (); g_assert (blob == hb_blob_get_empty ());