Fail blob creation if length overflows or is too large Fail if blob start plus length overflows; or if blob length is greater than 2GB. It takes a while for fonts to get to that size. In the mean time, it protects against bugs like this: http://www.icu-project.org/trac/ticket/11450 Also avoids some weird issues with 32bit vs 64bit systems as we accept length as unsigned int. As such, a length of -1 will cause overflow on 32bit machines, but happily accepted on a 64bit machine. Avoid that.

commit: 7d5e7613ced3dd39d05df83ca7e8952cbecd68f6 [log] [tgz]
author: Behdad Esfahbod <behdad@behdad.org> Thu Dec 18 18:22:21 2014 -0800
committer: Behdad Esfahbod <behdad@behdad.org> Thu Dec 18 18:22:21 2014 -0800
tree: 6c083dc673ed3614d1e9732b64d6b42c8327328d
parent: d5a5052098b0aa79ff55c235e61a9db477c4120f [diff] [blame]
diff --git a/src/hb-blob.cc b/src/hb-blob.cc
index b82b4b2..4437930 100644
--- a/src/hb-blob.cc
+++ b/src/hb-blob.cc

@@ -102,7 +102,10 @@
 {
   hb_blob_t *blob;
 
-  if (!length || !(blob = hb_object_create<hb_blob_t> ())) {
+  if (!length ||
+      length >= 1u << 31 ||
+      data + length < data /* overflows */ ||
+      !(blob = hb_object_create<hb_blob_t> ())) {
     if (destroy)
       destroy (user_data);
     return hb_blob_get_empty ();
commit	7d5e7613ced3dd39d05df83ca7e8952cbecd68f6	[log] [tgz]
author	Behdad Esfahbod <behdad@behdad.org>	Thu Dec 18 18:22:21 2014 -0800
committer	Behdad Esfahbod <behdad@behdad.org>	Thu Dec 18 18:22:21 2014 -0800
tree	6c083dc673ed3614d1e9732b64d6b42c8327328d
parent	d5a5052098b0aa79ff55c235e61a9db477c4120f [diff] [blame]