Closed
Bug 480409
Opened 16 years ago
Closed 16 years ago
integer overflow on allocation in harfbuzz on 64-bit systems
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: karlt, Assigned: mozilla)
Details
(Whiteboard: [sg:investigate])
HB_INTERNAL HB_Pointer
_hb_realloc( HB_Pointer block,
HB_UInt new_size,
HB_Error *perror_ );
typedef unsigned int HB_UInt;
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:investigate]
Assignee | ||
Comment 1•16 years ago
|
||
Committed to pango:
commit caaa5d09e10d4fe01ef986c9a95826c3cbb13cfa
Author: Behdad Esfahbod <behdad@behdad.org>
Date: Mon Mar 2 14:20:20 2009 +0330
[opentype] Use size_t instead of uint for malloc wrappers
Though the macros still do multiplication without checking for overflow. I don't expect it to be a major issue though as most (all?) numbers coming from the font file are 16-bit ints.
Reporter | ||
Comment 2•16 years ago
|
||
Thanks, Behdad. My concern was HB_Buffer, which Pango uses with string lengths. But callers of hb_buffer_ensure seem to only ever increment the buffer by what can be stored in an HB_UShort, so allocation should fail, limiting the length of the buffer, before size_t multiplication overflow occurs, even on 32-bit systems.
Assignee: nobody → mozilla
Reporter | ||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•