diff options
author | Raph Levien <raph@google.com> | 2015-12-08 11:29:31 -0800 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2015-12-08 11:29:31 -0800 |
commit | d56908571d3dc28686a198484d1cc8a399276d86 (patch) | |
tree | ed7b8700d3f7624976decc5ba5ed185c316f3b62 | |
parent | 79298c346088e13a0ddc93d49f4bb100afdbd14b (diff) | |
parent | ffadd191a041f16c52b693d8dc0c42b3b9f01b2b (diff) | |
download | android_frameworks_minikin-d56908571d3dc28686a198484d1cc8a399276d86.tar.gz android_frameworks_minikin-d56908571d3dc28686a198484d1cc8a399276d86.tar.bz2 android_frameworks_minikin-d56908571d3dc28686a198484d1cc8a399276d86.zip |
Avoid integer overflows in parsing fonts am: 6299a6ba13 am: 998293f985
am: ffadd191a0
* commit 'ffadd191a041f16c52b693d8dc0c42b3b9f01b2b':
Avoid integer overflows in parsing fonts
-rw-r--r-- | libs/minikin/CmapCoverage.cpp | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libs/minikin/CmapCoverage.cpp b/libs/minikin/CmapCoverage.cpp index 7503372..6431000 100644 --- a/libs/minikin/CmapCoverage.cpp +++ b/libs/minikin/CmapCoverage.cpp @@ -29,11 +29,12 @@ namespace android { // These could perhaps be optimized to use __builtin_bswap16 and friends. static uint32_t readU16(const uint8_t* data, size_t offset) { - return data[offset] << 8 | data[offset + 1]; + return ((uint32_t)data[offset]) << 8 | ((uint32_t)data[offset + 1]); } static uint32_t readU32(const uint8_t* data, size_t offset) { - return data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3]; + return ((uint32_t)data[offset]) << 24 | ((uint32_t)data[offset + 1]) << 16 | + ((uint32_t)data[offset + 2]) << 8 | ((uint32_t)data[offset + 3]); } static void addRange(vector<uint32_t> &coverage, uint32_t start, uint32_t end) { @@ -101,11 +102,13 @@ static bool getCoverageFormat12(vector<uint32_t>& coverage, const uint8_t* data, const size_t kGroupSize = 12; const size_t kStartCharCodeOffset = 0; const size_t kEndCharCodeOffset = 4; + const size_t kMaxNGroups = 0xfffffff0 / kGroupSize; // protection against overflow + // For all values < kMaxNGroups, kFirstGroupOffset + nGroups * kGroupSize fits in 32 bits. if (kFirstGroupOffset > size) { return false; } uint32_t nGroups = readU32(data, kNGroupsOffset); - if (kFirstGroupOffset + nGroups * kGroupSize > size) { + if (nGroups >= kMaxNGroups || kFirstGroupOffset + nGroups * kGroupSize > size) { return false; } for (uint32_t i = 0; i < nGroups; i++) { |