Clean up buffer area when rewinding

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=614647
If allocation fails, we might be leaving junk behind.  At least
clear it up.

diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index 4552d15..3940a3d 100644 (file)
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -183,6 +183,12 @@ hb_buffer_t::shift_forward (unsigned int count)
   if (unlikely (!ensure (len + count))) return false;
 
   memmove (info + idx + count, info + idx, (len - idx) * sizeof (info[0]));
+  if (idx + count > len)
+  {
+    /* Under memory failure we might expose this area.  At least
+     * clean it up.  Oh well... */
+    memset (info + len, 0, (idx + count - len) * sizeof (info[0]));
+  }
   len += count;
   idx += count;
 
@@ -426,6 +432,8 @@ hb_buffer_t::move_to (unsigned int i)
     /* Tricky part: rewinding... */
     unsigned int count = out_len - i;
 
+    /* This will blow in our face if memory allocation fails later
+     * in this same lookup... */
     if (unlikely (idx < count && !shift_forward (count + 32))) return false;
 
     assert (idx >= count);