From 5ab666d34a8992918954faf4e1b277a2daa44005 Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Fri, 3 Sep 2010 11:45:53 +0100 Subject: [PATCH] bug 593155 - check table length before accessing cmap data. r=jdaggett approval2.0=roc --- gfx/thebes/gfxDWriteFonts.cpp | 2 +- gfx/thebes/gfxFontUtils.cpp | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/gfx/thebes/gfxDWriteFonts.cpp b/gfx/thebes/gfxDWriteFonts.cpp index 002b6272e527..712f247e7680 100644 --- a/gfx/thebes/gfxDWriteFonts.cpp +++ b/gfx/thebes/gfxDWriteFonts.cpp @@ -422,5 +422,5 @@ gfxDWriteFont::GetFontTable(PRUint32 aTag) DestroyBlobFunc, ftr); } - return hb_blob_create_empty(); + return nsnull; } diff --git a/gfx/thebes/gfxFontUtils.cpp b/gfx/thebes/gfxFontUtils.cpp index a88133c5910f..cb4a6c669acc 100644 --- a/gfx/thebes/gfxFontUtils.cpp +++ b/gfx/thebes/gfxFontUtils.cpp @@ -525,8 +525,16 @@ gfxFontUtils::FindPreferredSubtable(const PRUint8 *aBuf, PRUint32 aBufLength, *aUVSTableOffset = nsnull; } + if (!aBuf || aBufLength < SizeOfHeader) { + // cmap table is missing, or too small to contain header fields! + return 0; + } + // PRUint16 version = ReadShortAt(aBuf, OffsetVersion); // Unused: self-documenting. PRUint16 numTables = ReadShortAt(aBuf, OffsetNumTables); + if (aBufLength < SizeOfHeader + numTables * SizeOfTable) { + return 0; + } // save the format we want here PRUint32 keepFormat = 0; @@ -539,8 +547,10 @@ gfxFontUtils::FindPreferredSubtable(const PRUint8 *aBuf, PRUint32 aBufLength, const PRUint16 encodingID = ReadShortAt(table, TableOffsetEncodingID); const PRUint32 offset = ReadLongAt(table, TableOffsetOffset); - - NS_ENSURE_TRUE(offset < aBufLength, NS_ERROR_GFX_CMAP_MALFORMED); + if (aBufLength - 2 < offset) { + // this subtable is not valid - beyond end of buffer + return 0; + } const PRUint8 *subtable = aBuf + offset; const PRUint16 format = ReadShortAt(subtable, SubtableOffsetFormat);