diff options
author | Lei Zhang <leizleiz@users.noreply.github.com> | 2016-09-01 00:23:47 -0700 |
---|---|---|
committer | Lei Zhang <leizleiz@users.noreply.github.com> | 2016-09-01 00:32:19 -0700 |
commit | c9025eccdd389c91a7ff273976de794317c6928e (patch) | |
tree | 9587a041b4a77530e20e520491df7dc06d304c72 /cpp | |
parent | dd230461d199c49d762185d0b02107505d216bee (diff) | |
download | sfntly-c9025eccdd389c91a7ff273976de794317c6928e.tar.gz |
Add more bounds checks in WritableFontData.
WritableFontData::Slice() needs to do more input validation.
Same for ReadableFontData::Slice().
Same for the equivalent Java code.
Fixes https://crbug.com/642300
Diffstat (limited to 'cpp')
-rw-r--r-- | cpp/src/sfntly/data/readable_font_data.cc | 4 | ||||
-rw-r--r-- | cpp/src/sfntly/data/writable_font_data.cc | 7 |
2 files changed, 8 insertions, 3 deletions
diff --git a/cpp/src/sfntly/data/readable_font_data.cc b/cpp/src/sfntly/data/readable_font_data.cc index 0f93fdb..9ffcb00 100644 --- a/cpp/src/sfntly/data/readable_font_data.cc +++ b/cpp/src/sfntly/data/readable_font_data.cc @@ -294,7 +294,9 @@ int32_t ReadableFontData::SearchULong(int32_t start_index, CALLER_ATTACH FontData* ReadableFontData::Slice(int32_t offset, int32_t length) { - if (offset < 0 || offset + length > Size()) { + if (offset < 0 || length < 0 || + offset > std::numeric_limits<int32_t>::max() - length || + offset + length > Size()) { #if !defined (SFNTLY_NO_EXCEPTION) throw IndexOutOfBoundsException( "Attempt to bind data outside of its limits"); diff --git a/cpp/src/sfntly/data/writable_font_data.cc b/cpp/src/sfntly/data/writable_font_data.cc index 4b3b440..073e9df 100644 --- a/cpp/src/sfntly/data/writable_font_data.cc +++ b/cpp/src/sfntly/data/writable_font_data.cc @@ -17,6 +17,7 @@ #include "sfntly/data/writable_font_data.h" #include <algorithm> +#include <limits> #include "sfntly/data/memory_byte_array.h" #include "sfntly/data/growable_memory_byte_array.h" @@ -167,7 +168,9 @@ void WritableFontData::CopyFrom(InputStream* is) { CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset, int32_t length) { - if (offset < 0 || offset + length > Size()) { + if (offset < 0 || length < 0 || + offset > std::numeric_limits<int32_t>::max() - length || + offset + length > Size()) { #if !defined (SFNTLY_NO_EXCEPTION) throw IndexOutOfBoundsException( "Attempt to bind data outside of its limits"); @@ -179,7 +182,7 @@ CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset, } CALLER_ATTACH FontData* WritableFontData::Slice(int32_t offset) { - if (offset > Size()) { + if (offset < 0 || offset > Size()) { #if !defined (SFNTLY_NO_EXCEPTION) throw IndexOutOfBoundsException( "Attempt to bind data outside of its limits"); |