Closed Bug 603352 Opened 15 years ago Closed 15 years ago

infinite loop in hb_ot_tag_from_language because i is never incremented

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, hang)

Attachments

(1 file)

proposal
868 bytes, patch
Details | Diff | Splinter Review
618 hb_ot_tag_from_language (hb_language_t language) 638 while (i < 4) 639 tag[i] = ' ';
618 hb_ot_tag_from_language (hb_language_t language) 628 if (0 == strcmp (lang_str, "x-hbot")) { 629 char tag[4]; 630 int i; 631 lang_str += 6; 632 i = 0; actually, you'll get trapped in this loop: 635 while (i < 4 && IS_LETTER (lang_str[i])) { 636 tag[i] = TO_UPPER (lang_str[i]); 637 } long before you get trapped in this loop ... 638 while (i < 4) 639 tag[i] = ' ';
blocking2.0: --- → ?
Summary: infinite loop in hb_ot_tag_from_language if i < 4 → infinite loop in hb_ot_tag_from_language because i is never incremented
Attached patch proposalSplinter Review
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #482490 - Flags: review?(jfkthame)
Yes, this is clearly bad! Fortunately, we don't use that codepath. Reported this upstream to Behdad and the harfbuzz list; I expect he'll fix it shortly.
Indeed, untested code is buggy code. Fixed. Thanks.
blocking2.0: ? → -
Comment on attachment 482490 [details] [diff] [review] proposal We've landed a harfbuzz update that includes a version of this fix, so we can close this.
Attachment #482490 - Flags: review?(jfkthame)
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: