[tor-commits] [tor-browser] 24/46: Bug 1761233 - Apply VDMX sanitization fix from https://github.com/khaledhosny/ots/pull/250 to avoid generating invalid "sanitized" data. r=gfx-reviewers, lsalzman, a=dmeehan

gitolite role git at cupani.torproject.org
Wed Nov 16 20:43:04 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch base-browser-102.5.0esr-12.0-1
in repository tor-browser.

commit e47c373b00a6998a7e391049b26a39c52edbdfb1
Author: Jonathan Kew <jkew at mozilla.com>
AuthorDate: Thu Oct 6 10:05:26 2022 +0000

    Bug 1761233 - Apply VDMX sanitization fix from https://github.com/khaledhosny/ots/pull/250 to avoid generating invalid "sanitized" data. r=gfx-reviewers,lsalzman, a=dmeehan
    
    With this fix, the site from comment 21 loads successfully.
    
    Differential Revision: https://phabricator.services.mozilla.com/D158712
---
 gfx/ots/src/vdmx.cc | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/gfx/ots/src/vdmx.cc b/gfx/ots/src/vdmx.cc
index 54055777a8e7..17433f88943a 100644
--- a/gfx/ots/src/vdmx.cc
+++ b/gfx/ots/src/vdmx.cc
@@ -4,18 +4,23 @@
 
 #include "vdmx.h"
 
+#include <set>
+
 // VDMX - Vertical Device Metrics
 // http://www.microsoft.com/typography/otspec/vdmx.htm
 
 namespace ots {
 
+#define TABLE_NAME "VDMX"
+
 bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
   Buffer table(data, length);
+  ots::Font* font = this->GetFont();
 
   if (!table.ReadU16(&this->version) ||
       !table.ReadU16(&this->num_recs) ||
       !table.ReadU16(&this->num_ratios)) {
-    return Error("Failed to read table header");
+    return Drop("Failed to read table header");
   }
 
   if (this->version > 1) {
@@ -30,7 +35,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
         !table.ReadU8(&rec.x_ratio) ||
         !table.ReadU8(&rec.y_start_ratio) ||
         !table.ReadU8(&rec.y_end_ratio)) {
-      return Error("Failed to read RatioRange record %d", i);
+      return Drop("Failed to read RatioRange record %d", i);
     }
 
     if (rec.charset > 1) {
@@ -56,17 +61,28 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
 
   this->offsets.reserve(this->num_ratios);
   const size_t current_offset = table.offset();
+  std::set<uint16_t> unique_offsets;
   // current_offset is less than (2 bytes * 3) + (4 bytes * USHRT_MAX) = 256k.
   for (unsigned i = 0; i < this->num_ratios; ++i) {
     uint16_t offset;
     if (!table.ReadU16(&offset)) {
-      return Error("Failed to read ratio offset %d", i);
+      return Drop("Failed to read ratio offset %d", i);
     }
     if (current_offset + offset >= length) {  // thus doesn't overflow.
-      return Error("Bad ratio offset %d for ration %d", offset, i);
+      return Drop("Bad ratio offset %d for ration %d", offset, i);
     }
 
     this->offsets.push_back(offset);
+    unique_offsets.insert(offset);
+  }
+
+  // Check that num_recs is sufficient to provide as many VDMXGroup records
+  // as there are unique offsets; if not, update it (we'll return an error
+  // below if they're not actually present).
+  if (unique_offsets.size() > this->num_recs) {
+    OTS_WARNING("increasing num_recs (%u is too small for %u unique offsets)",
+                this->num_recs, unique_offsets.size());
+    this->num_recs = unique_offsets.size();
   }
 
   this->groups.reserve(this->num_recs);
@@ -75,7 +91,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
     if (!table.ReadU16(&group.recs) ||
         !table.ReadU8(&group.startsz) ||
         !table.ReadU8(&group.endsz)) {
-      return Error("Failed to read record header %d", i);
+      return Drop("Failed to read record header %d", i);
     }
     group.entries.reserve(group.recs);
     for (unsigned j = 0; j < group.recs; ++j) {
@@ -83,7 +99,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
       if (!table.ReadU16(&vt.y_pel_height) ||
           !table.ReadS16(&vt.y_max) ||
           !table.ReadS16(&vt.y_min)) {
-        return Error("Failed to read reacord %d group %d", i, j);
+        return Drop("Failed to read record %d group %d", i, j);
       }
       if (vt.y_max < vt.y_min) {
         return Drop("bad y min/max");
@@ -152,4 +168,6 @@ bool OpenTypeVDMX::Serialize(OTSStream *out) {
   return true;
 }
 
+#undef TABLE_NAME
+
 }  // namespace ots

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tor-commits mailing list