diff options
author | Seigo Nonaka <nona@google.com> | 2017-09-05 14:23:47 +0900 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-12-09 19:31:30 +0300 |
commit | bf67d5eb78b581f97a0a7571cbdb03005b8e5083 (patch) | |
tree | c1e04bd2363da81251885d689a2c0165c83ff5a4 | |
parent | 6509306bbe50f3b7481672eb1f64b1bd2475a257 (diff) | |
download | android_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.tar.gz android_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.tar.bz2 android_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.zip |
Drop codepoints that are outside the Unicode range - DO NOT MERGEHEADreplicant-6.0-0004-transitionreplicant-6.0-0004-rc6replicant-6.0-0004-rc5-transitionreplicant-6.0-0004-rc5replicant-6.0-0004-rc4replicant-6.0-0004-rc3replicant-6.0-0004-rc2replicant-6.0-0004-rc1replicant-6.0-0004cm-13.0
Bug: 62134807
Test: mmma cts/tests/tests/graphics &&
adb install -r $OUT/data/app/CtsGraphicsTestCases/CtsGraphicsTestCases.apk &&
adb shell am instrument -w -e class \
android.graphics.cts.TypefaceTest \
android.graphics.cts/android.support.test.runner.AndroidJUnitRunner
Change-Id: Ic780357bde28e233a15709b5fe07cdb3c532f471
(cherry picked from commit 0e441db0f7d36480fcabbacb9f443223063956a0)
CVE-2017-0870
-rw-r--r-- | libs/minikin/CmapCoverage.cpp | 15 | ||||
-rw-r--r-- | libs/minikin/MinikinInternal.h | 2 |
2 files changed, 17 insertions, 0 deletions
diff --git a/libs/minikin/CmapCoverage.cpp b/libs/minikin/CmapCoverage.cpp index eb46c41..11ce64b 100644 --- a/libs/minikin/CmapCoverage.cpp +++ b/libs/minikin/CmapCoverage.cpp @@ -25,6 +25,8 @@ using std::vector; #include <minikin/SparseBitSet.h> #include <minikin/CmapCoverage.h> +#include "MinikinInternal.h" + namespace android { // These could perhaps be optimized to use __builtin_bswap16 and friends. @@ -142,6 +144,19 @@ static bool getCoverageFormat12(vector<uint32_t>& coverage, const uint8_t* data, android_errorWriteLog(0x534e4554, "26413177"); return false; } + + // No need to read outside of Unicode code point range. + if (start > MAX_UNICODE_CODE_POINT) { + return true; + } + if (end > MAX_UNICODE_CODE_POINT) { + // file is inclusive, vector is exclusive + addRange(coverage, start, MAX_UNICODE_CODE_POINT + 1); + if (end == 0xFFFFFFFF) { + android_errorWriteLog(0x534e4554, "62134807"); + } + return true; + } if (!addRange(coverage, start, end + 1)) { // file is inclusive, vector is exclusive return false; } diff --git a/libs/minikin/MinikinInternal.h b/libs/minikin/MinikinInternal.h index b8430df..7449141 100644 --- a/libs/minikin/MinikinInternal.h +++ b/libs/minikin/MinikinInternal.h @@ -29,6 +29,8 @@ namespace android { extern Mutex gMinikinLock; +constexpr uint32_t MAX_UNICODE_CODE_POINT = 0x10FFFF; + } #endif // MINIKIN_INTERNAL_H |