diff options
author | Raph Levien <raph@google.com> | 2016-01-06 14:31:23 -0800 |
---|---|---|
committer | Raph Levien <raph@google.com> | 2016-01-07 21:39:25 +0000 |
commit | ca8ac8acdad662230ae37998c6c4091bb39402b6 (patch) | |
tree | f2142f959da7f25a1c70efcfea0db2a853d194bf /libs/minikin/SparseBitSet.cpp | |
parent | 6299a6ba13906c695f7a4f6748f7bc5856a110e5 (diff) | |
download | android_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.tar.gz android_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.tar.bz2 android_frameworks_minikin-ca8ac8acdad662230ae37998c6c4091bb39402b6.zip |
Reject fonts with invalid ranges in cmap
A corrupt or malicious font may have a negative size in its cmap
range, which in turn could lead to memory corruption. This patch
detects the case and rejects the font, and also includes an assertion
in the sparse bit set implementation if we missed any such case.
External issue:
https://code.google.com/p/android/issues/detail?id=192618
Bug: 26413177
Change-Id: Icc0c80e4ef389abba0964495b89aa0fae3e9f4b2
Diffstat (limited to 'libs/minikin/SparseBitSet.cpp')
-rw-r--r-- | libs/minikin/SparseBitSet.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libs/minikin/SparseBitSet.cpp b/libs/minikin/SparseBitSet.cpp index 7acb7ba..2265ff2 100644 --- a/libs/minikin/SparseBitSet.cpp +++ b/libs/minikin/SparseBitSet.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include <cutils/log.h> #include <stddef.h> #include <string.h> #include <minikin/SparseBitSet.h> @@ -71,6 +72,7 @@ void SparseBitSet::initFromRanges(const uint32_t* ranges, size_t nRanges) { for (size_t i = 0; i < nRanges; i++) { uint32_t start = ranges[i * 2]; uint32_t end = ranges[i * 2 + 1]; + LOG_ALWAYS_FATAL_IF(end < start); // make sure range size is nonnegative uint32_t startPage = start >> kLogValuesPerPage; uint32_t endPage = (end - 1) >> kLogValuesPerPage; if (startPage >= nonzeroPageEnd) { |