AuroraMiddleware/harfbuzz
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[sanitizer] Add reset_object(), make set_object() do bounds-check

Browse Source 
Affects morx/kerx run-time only currently.  Will adjust their sanitize next.
This commit is contained in:
Behdad Esfahbod 2018-11-22 22:12:36 -05:00
parent 2c8188bf59
commit a9fe787a11
3 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/hb-aat-layout-kerx-table.hh
View File

@ -934,6 +934,7 @@ struct KerxTable
st = &StructAfter<SubTable> (*st); st = &StructAfter<SubTable> (*st);
c->set_lookup_index (c->lookup_index + 1); c->set_lookup_index (c->lookup_index + 1);
} }
c->sanitizer.reset_object ();
return ret; return ret;
} }

1
src/hb-aat-layout-morx-table.hh
View File

@ -1041,6 +1041,7 @@ struct Chain
subtable = &StructAfter<ChainSubtable<Types> > (*subtable); subtable = &StructAfter<ChainSubtable<Types> > (*subtable);
c->set_lookup_index (c->lookup_index + 1); c->set_lookup_index (c->lookup_index + 1);
} }
c->sanitizer.reset_object ();
} }
inline unsigned int get_size (void) const { return length; } inline unsigned int get_size (void) const { return length; }

32
src/hb-machinery.hh
View File

@ -259,26 +259,34 @@ struct hb_sanitize_context_t :
inline void set_max_ops (int max_ops_) { max_ops = max_ops_; } inline void set_max_ops (int max_ops_) { max_ops = max_ops_; }
/* TODO
* This set_object() thing is to use sanitize at runtime lookup
* application time. This is very distinct from the regular
* sanitizer operation, so, eventually, separate into another
* type and make hb_aat_apply_context_t use that one instead
* of abusing this one.
*/
template <typename T> template <typename T>
inline void set_object (const T& obj) inline void set_object (const T& obj)
{ {
this->start = (const char *) &obj; reset_object ();
this->end = (const char *) &obj + obj.get_size ();
const char *obj_start = (const char *) &obj;
const char *obj_end = (const char *) &obj + obj.get_size ();
assert (obj_start <= obj_end); /* Must not overflow. */
if (unlikely (obj_end < this->start || this->end < obj_start))
this->start = this->end = nullptr;
else
{
this->start = MAX (this->start, obj_start);
this->end = MIN (this->end , obj_end );
}
}
inline void reset_object (void)
{
this->start = this->blob->data;
this->end = this->start + this->blob->length;
assert (this->start <= this->end); /* Must not overflow. */ assert (this->start <= this->end); /* Must not overflow. */
} }
inline void start_processing (void) inline void start_processing (void)
{ {
this->start = this->blob->data; reset_object ();
this->end = this->start + this->blob->length;
assert (this->start <= this->end); /* Must not overflow. */
this->max_ops = MAX ((unsigned int) (this->end - this->start) * HB_SANITIZE_MAX_OPS_FACTOR, this->max_ops = MAX ((unsigned int) (this->end - this->start) * HB_SANITIZE_MAX_OPS_FACTOR,
(unsigned) HB_SANITIZE_MAX_OPS_MIN); (unsigned) HB_SANITIZE_MAX_OPS_MIN);
this->edit_count = 0; this->edit_count = 0;