summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSeigo Nonaka <nona@google.com>2017-09-05 05:23:47 (GMT)
committerIvan Kutepov <its.kutepov@gmail.com>2017-12-09 16:31:30 (GMT)
commitbf67d5eb78b581f97a0a7571cbdb03005b8e5083 (patch)
treec1e04bd2363da81251885d689a2c0165c83ff5a4
parent6509306bbe50f3b7481672eb1f64b1bd2475a257 (diff)
downloadandroid_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.zip
android_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.tar.gz
android_frameworks_minikin-bf67d5eb78b581f97a0a7571cbdb03005b8e5083.tar.bz2
Drop codepoints that are outside the Unicode range - DO NOT MERGEHEADreplicant-6.0-0004-rc2replicant-6.0-0004-rc1cm-13.0
Bug: 62134807 Test: mmma cts/tests/tests/graphics && adb install -r $OUT/data/app/CtsGraphicsTestCases/CtsGraphicsTestCases.apk && adb shell am instrument -w -e class \ android.graphics.cts.TypefaceTest \ android.graphics.cts/android.support.test.runner.AndroidJUnitRunner Change-Id: Ic780357bde28e233a15709b5fe07cdb3c532f471 (cherry picked from commit 0e441db0f7d36480fcabbacb9f443223063956a0) CVE-2017-0870
-rw-r--r--libs/minikin/CmapCoverage.cpp15
-rw-r--r--libs/minikin/MinikinInternal.h2
2 files changed, 17 insertions, 0 deletions
diff --git a/libs/minikin/CmapCoverage.cpp b/libs/minikin/CmapCoverage.cpp
index eb46c41..11ce64b 100644
--- a/libs/minikin/CmapCoverage.cpp
+++ b/libs/minikin/CmapCoverage.cpp
@@ -25,6 +25,8 @@ using std::vector;
#include <minikin/SparseBitSet.h>
#include <minikin/CmapCoverage.h>
+#include "MinikinInternal.h"
+
namespace android {
// These could perhaps be optimized to use __builtin_bswap16 and friends.
@@ -142,6 +144,19 @@ static bool getCoverageFormat12(vector<uint32_t>& coverage, const uint8_t* data,
android_errorWriteLog(0x534e4554, "26413177");
return false;
}
+
+ // No need to read outside of Unicode code point range.
+ if (start > MAX_UNICODE_CODE_POINT) {
+ return true;
+ }
+ if (end > MAX_UNICODE_CODE_POINT) {
+ // file is inclusive, vector is exclusive
+ addRange(coverage, start, MAX_UNICODE_CODE_POINT + 1);
+ if (end == 0xFFFFFFFF) {
+ android_errorWriteLog(0x534e4554, "62134807");
+ }
+ return true;
+ }
if (!addRange(coverage, start, end + 1)) { // file is inclusive, vector is exclusive
return false;
}
diff --git a/libs/minikin/MinikinInternal.h b/libs/minikin/MinikinInternal.h
index b8430df..7449141 100644
--- a/libs/minikin/MinikinInternal.h
+++ b/libs/minikin/MinikinInternal.h
@@ -29,6 +29,8 @@ namespace android {
extern Mutex gMinikinLock;
+constexpr uint32_t MAX_UNICODE_CODE_POINT = 0x10FFFF;
+
}
#endif // MINIKIN_INTERNAL_H