From ca8ac8acdad662230ae37998c6c4091bb39402b6 Mon Sep 17 00:00:00 2001
From: Raph Levien <raph@google.com>
Date: Wed, 6 Jan 2016 14:31:23 -0800
Subject: Reject fonts with invalid ranges in cmap

A corrupt or malicious font may have a negative size in its cmap
range, which in turn could lead to memory corruption. This patch
detects the case and rejects the font, and also includes an assertion
in the sparse bit set implementation if we missed any such case.

External issue:
https://code.google.com/p/android/issues/detail?id=192618

Bug: 26413177
Change-Id: Icc0c80e4ef389abba0964495b89aa0fae3e9f4b2
---
 libs/minikin/SparseBitSet.cpp | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libs/minikin/SparseBitSet.cpp')

diff --git a/libs/minikin/SparseBitSet.cpp b/libs/minikin/SparseBitSet.cpp
index 7acb7ba..2265ff2 100644
--- a/libs/minikin/SparseBitSet.cpp
+++ b/libs/minikin/SparseBitSet.cpp
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+#include <cutils/log.h>
 #include <stddef.h>
 #include <string.h>
 #include <minikin/SparseBitSet.h>
@@ -71,6 +72,7 @@ void SparseBitSet::initFromRanges(const uint32_t* ranges, size_t nRanges) {
     for (size_t i = 0; i < nRanges; i++) {
         uint32_t start = ranges[i * 2];
         uint32_t end = ranges[i * 2 + 1];
+        LOG_ALWAYS_FATAL_IF(end < start);  // make sure range size is nonnegative
         uint32_t startPage = start >> kLogValuesPerPage;
         uint32_t endPage = (end - 1) >> kLogValuesPerPage;
         if (startPage >= nonzeroPageEnd) {
-- 
cgit v1.2.3