bug 593155 - check table length before accessing cmap data. r=jdaggett approval2.0=roc

gfx/thebes/gfxDWriteFonts.cpp

@@ -422,5 +422,5 @@ gfxDWriteFont::GetFontTable(PRUint32 aTag)
                               DestroyBlobFunc, ftr);
     }
 
-    return hb_blob_create_empty();
+    return nsnull;
 }

gfx/thebes/gfxFontUtils.cpp

@@ -525,8 +525,16 @@ gfxFontUtils::FindPreferredSubtable(const PRUint8 *aBuf, PRUint32 aBufLength,
         *aUVSTableOffset = nsnull;
     }
 
+    if (!aBuf || aBufLength < SizeOfHeader) {
+        // cmap table is missing, or too small to contain header fields!
+        return 0;
+    }
+
     // PRUint16 version = ReadShortAt(aBuf, OffsetVersion); // Unused: self-documenting.
     PRUint16 numTables = ReadShortAt(aBuf, OffsetNumTables);
+    if (aBufLength < SizeOfHeader + numTables * SizeOfTable) {
+        return 0;
+    }
 
     // save the format we want here
     PRUint32 keepFormat = 0;
@@ -539,8 +547,10 @@ gfxFontUtils::FindPreferredSubtable(const PRUint8 *aBuf, PRUint32 aBufLength,
 
         const PRUint16 encodingID = ReadShortAt(table, TableOffsetEncodingID);
         const PRUint32 offset = ReadLongAt(table, TableOffsetOffset);
-
+        if (aBufLength - 2 < offset) {
-        NS_ENSURE_TRUE(offset < aBufLength, NS_ERROR_GFX_CMAP_MALFORMED);
+            // this subtable is not valid - beyond end of buffer
+            return 0;
+        }
 
         const PRUint8 *subtable = aBuf + offset;
         const PRUint16 format = ReadShortAt(subtable, SubtableOffsetFormat);