Annotation of /trunk/qt4/patches/qt-4.8.1-fix-buffer-overflow.patch
Parent Directory | Revision Log
Revision 1771 -
(hide annotations)
(download)
Wed May 9 07:58:18 2012 UTC (12 years, 4 months ago) by niro
File size: 1976 byte(s)
Wed May 9 07:58:18 2012 UTC (12 years, 4 months ago) by niro
File size: 1976 byte(s)
-added upstrean patches for qt-4.8.1
1 | niro | 1771 | From 827e5c4c689d4ecb4f8c1ab48c9a7ab712fe2ca7 Mon Sep 17 00:00:00 2001 |
2 | From: John Tapsell <john.tapsell.ext@basyskom.com> | ||
3 | Date: Mon, 12 Mar 2012 22:07:47 +0000 | ||
4 | Subject: [PATCH] Harfbuzz-thai - fix buffer overflow when setting item | ||
5 | attributes | ||
6 | |||
7 | Change-Id: I19eeb4ec25a7c6cb3f584e6290169f9f327b8713 | ||
8 | Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@nokia.com> | ||
9 | --- | ||
10 | src/3rdparty/harfbuzz/src/harfbuzz-thai.c | 9 +++++- | ||
11 | .../qtextscriptengine/tst_qtextscriptengine.cpp | 29 ++++++++++++++++++++ | ||
12 | 2 files changed, 36 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c | ||
15 | index bf6c35b..3c0ffe8 100644 | ||
16 | --- a/src/3rdparty/harfbuzz/src/harfbuzz-thai.c | ||
17 | +++ b/src/3rdparty/harfbuzz/src/harfbuzz-thai.c | ||
18 | @@ -263,8 +263,13 @@ static HB_Bool HB_ThaiConvertStringToGlyphIndices (HB_ShaperItem *item) | ||
19 | // The only glyphs that should be passed to this function that cannot be mapped to | ||
20 | // tis620 are the ones of type Inherited class. Pass these glyphs untouched. | ||
21 | glyphString[slen++] = string[i]; | ||
22 | - if (string[i] == 0x200D || string[i] == 0x200C) | ||
23 | - item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters | ||
24 | + if (string[i] == 0x200D || string[i] == 0x200C) { | ||
25 | + // Check that we do not run out of bounds when setting item->attributes. If we do | ||
26 | + // run out of bounds then this function will return false, the necessary amount of | ||
27 | + // memory is reallocated, and this function will then be called again. | ||
28 | + if (slen <= item->num_glyphs) | ||
29 | + item->attributes[slen-1].dontPrint = true; // Hide ZWJ and ZWNJ characters | ||
30 | + } | ||
31 | } else { | ||
32 | glyphString[slen++] = (HB_UChar16) thai_get_glyph_index (font_type, rglyphs[lgi]); | ||
33 | } |