taken from pango-1.28.1-3.el6_0.5.src.rpm pango-hb_buffer_enlarge-overflow.patch pango-hb_buffer_ensure-realloc.patch diff -Naurp pango-1.28.0/pango/opentype/hb-buffer-private.h pango-1.28.0.oden/pango/opentype/hb-buffer-private.h --- pango-1.28.0/pango/opentype/hb-buffer-private.h 2010-01-26 17:11:19.000000000 +0000 +++ pango-1.28.0.oden/pango/opentype/hb-buffer-private.h 2011-03-03 06:38:02.000000000 +0000 @@ -72,6 +72,7 @@ struct _hb_buffer_t { unsigned int allocated; hb_bool_t have_output; /* weather we have an output buffer going on */ + hb_bool_t in_error; /* Allocation failed */ unsigned int in_length; unsigned int out_length; unsigned int in_pos; diff -Naurp pango-1.28.0/pango/opentype/hb-buffer.c pango-1.28.0.oden/pango/opentype/hb-buffer.c --- pango-1.28.0/pango/opentype/hb-buffer.c 2010-01-26 17:11:19.000000000 +0000 +++ pango-1.28.0.oden/pango/opentype/hb-buffer.c 2011-03-03 06:38:05.000000000 +0000 @@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = { * in_string and out_string. */ -/* XXX err handling */ - /* Internal API */ -static void +static hb_bool_t hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) { - hb_buffer_ensure (buffer, size); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; if (buffer->out_string == buffer->in_string) { assert (buffer->have_output); - if (!buffer->positions) - buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); } + + return TRUE; } /* Public API */ @@ -114,6 +112,7 @@ void hb_buffer_clear (hb_buffer_t *buffer) { buffer->have_output = FALSE; + buffer->in_error = FALSE; buffer->in_length = 0; buffer->out_length = 0; buffer->in_pos = 0; @@ -122,32 +121,50 @@ hb_buffer_clear (hb_buffer_t *buffer) buffer->max_lig_id = 0; } -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) { - unsigned int new_allocated = buffer->allocated; - - if (size > new_allocated) + if (HB_UNLIKELY (size > buffer->allocated)) { + unsigned int new_allocated = buffer->allocated; + hb_internal_glyph_position_t *new_pos; + hb_internal_glyph_info_t *new_info; + hb_bool_t separate_out; + + if (HB_UNLIKELY (buffer->in_error)) + return FALSE; + + separate_out = buffer->out_string != buffer->in_string; + while (size > new_allocated) new_allocated += (new_allocated >> 1) + 8; - if (buffer->positions) - buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + ASSERT_STATIC (sizeof (buffer->in_string[0]) == sizeof (buffer->positions[0])); + hb_bool_t overflows = new_allocated >= ((unsigned int) -1) / sizeof (buffer->in_string[0]); - if (buffer->out_string != buffer->in_string) - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; - } - else - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = buffer->in_string; + if (HB_UNLIKELY (overflows)) { + new_pos = NULL; + new_info = NULL; + } else { + new_pos = (hb_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_info = (hb_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); } - buffer->allocated = new_allocated; + if (HB_UNLIKELY (!new_pos || !new_info)) + buffer->in_error = TRUE; + + if (HB_LIKELY (new_pos)) + buffer->positions = new_pos; + + if (HB_LIKELY (new_info)) + buffer->in_string = new_info; + + buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; + if (HB_LIKELY (!buffer->in_error)) + buffer->allocated = new_allocated; } + + return HB_LIKELY (!buffer->in_error); } void @@ -158,7 +175,7 @@ hb_buffer_add_glyph (hb_buffer_t *buf { hb_internal_glyph_info_t *glyph; - hb_buffer_ensure (buffer, buffer->in_length + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; glyph = &buffer->in_string[buffer->in_length]; glyph->codepoint = codepoint; @@ -213,6 +230,8 @@ _hb_buffer_swap (hb_buffer_t *buffer) assert (buffer->have_output); + if (HB_UNLIKELY (buffer->in_error)) return; + if (buffer->out_string != buffer->in_string) { hb_internal_glyph_info_t *tmp_string; @@ -265,7 +284,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_ if (buffer->out_string != buffer->in_string || buffer->out_pos + num_out > buffer->in_pos + num_in) { - hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); + if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) + return; } mask = buffer->in_string[buffer->in_pos].mask; @@ -302,7 +322,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @@ -332,7 +352,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buff if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) diff -Naurp pango-1.28.0/pango/opentype/hb-buffer.h pango-1.28.0.oden/pango/opentype/hb-buffer.h --- pango-1.28.0/pango/opentype/hb-buffer.h 2010-01-26 17:11:19.000000000 +0000 +++ pango-1.28.0.oden/pango/opentype/hb-buffer.h 2011-03-03 06:38:02.000000000 +0000 @@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer); void hb_buffer_clear_positions (hb_buffer_t *buffer); -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size);