integer overflow on allocation in harfbuzz on 64-bit systems

RESOLVED FIXED

Status

()

RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: karlt, Assigned: mozilla)

Tracking

Trunk
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:investigate])

(Reporter)

Description

10 years ago
HB_INTERNAL HB_Pointer
_hb_realloc( HB_Pointer block,
	     HB_UInt    new_size,
	     HB_Error  *perror_ );

typedef unsigned int HB_UInt;
(Reporter)

Updated

10 years ago
Whiteboard: [sg:investigate]
(Assignee)

Comment 1

10 years ago
Committed to pango:

commit caaa5d09e10d4fe01ef986c9a95826c3cbb13cfa
Author: Behdad Esfahbod <behdad@behdad.org>
Date:   Mon Mar 2 14:20:20 2009 +0330

    [opentype] Use size_t instead of uint for malloc wrappers


Though the macros still do multiplication without checking for overflow.  I don't expect it to be a major issue though as most (all?) numbers coming from the font file are 16-bit ints.
(Reporter)

Comment 2

10 years ago
Thanks, Behdad.  My concern was HB_Buffer, which Pango uses with string lengths.  But callers of hb_buffer_ensure seem to only ever increment the buffer by what can be stored in an HB_UShort, so allocation should fail, limiting the length of the buffer, before size_t multiplication overflow occurs, even on 32-bit systems.
Assignee: nobody → mozilla
(Reporter)

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.