summaryrefslogtreecommitdiffstats
path: root/libs/minikin/SparseBitSet.cpp
diff options
context:
space:
mode:
authorRaph Levien <raph@google.com>2016-01-06 14:31:23 -0800
committerRaph Levien <raph@google.com>2016-01-07 21:39:25 +0000
commitca8ac8acdad662230ae37998c6c4091bb39402b6 (patch)
treef2142f959da7f25a1c70efcfea0db2a853d194bf /libs/minikin/SparseBitSet.cpp
parent6299a6ba13906c695f7a4f6748f7bc5856a110e5 (diff)
downloadandroid_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.tar.gz
android_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.tar.bz2
android_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.zip
Reject fonts with invalid ranges in cmap
A corrupt or malicious font may have a negative size in its cmap range, which in turn could lead to memory corruption. This patch detects the case and rejects the font, and also includes an assertion in the sparse bit set implementation if we missed any such case. External issue: https://code.google.com/p/android/issues/detail?id=192618 Bug: 26413177 Change-Id: Icc0c80e4ef389abba0964495b89aa0fae3e9f4b2
Diffstat (limited to 'libs/minikin/SparseBitSet.cpp')
-rw-r--r--libs/minikin/SparseBitSet.cpp2
1 files changed, 2 insertions, 0 deletions
diff --git a/libs/minikin/SparseBitSet.cpp b/libs/minikin/SparseBitSet.cpp
index 7acb7ba..2265ff2 100644
--- a/libs/minikin/SparseBitSet.cpp
+++ b/libs/minikin/SparseBitSet.cpp
@@ -14,6 +14,7 @@
* limitations under the License.
*/
+#include <cutils/log.h>
#include <stddef.h>
#include <string.h>
#include <minikin/SparseBitSet.h>
@@ -71,6 +72,7 @@ void SparseBitSet::initFromRanges(const uint32_t* ranges, size_t nRanges) {
for (size_t i = 0; i < nRanges; i++) {
uint32_t start = ranges[i * 2];
uint32_t end = ranges[i * 2 + 1];
+ LOG_ALWAYS_FATAL_IF(end < start); // make sure range size is nonnegative
uint32_t startPage = start >> kLogValuesPerPage;
uint32_t endPage = (end - 1) >> kLogValuesPerPage;
if (startPage >= nonzeroPageEnd) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-23 16:37:43 +0000