Fail blob creation if length overflows or is too large

Fail if blob start plus length overflows; or if blob length
is greater than 2GB.  It takes a while for fonts to get to that
size.  In the mean time, it protects against bugs like this:

  http://www.icu-project.org/trac/ticket/11450

Also avoids some weird issues with 32bit vs 64bit systems
as we accept length as unsigned int.  As such, a length of
-1 will cause overflow on 32bit machines, but happily
accepted on a 64bit machine.  Avoid that.

diff --git a/src/hb-blob.cc b/src/hb-blob.cc
index b82b4b2..4437930 100644 (file)
--- a/src/hb-blob.cc
+++ b/src/hb-blob.cc
@@ -102,7 +102,10 @@ hb_blob_create (const char        *data,
 {
   hb_blob_t *blob;
 
-  if (!length || !(blob = hb_object_create<hb_blob_t> ())) {
+  if (!length ||
+      length >= 1u << 31 ||
+      data + length < data /* overflows */ ||
+      !(blob = hb_object_create<hb_blob_t> ())) {
     if (destroy)
       destroy (user_data);
     return hb_blob_get_empty ();

diff --git a/test/api/test-blob.c b/test/api/test-blob.c
index bbb7e2e..f671331 100644 (file)
--- a/test/api/test-blob.c
+++ b/test/api/test-blob.c
@@ -53,6 +53,9 @@ test_blob_empty (void)
   g_assert (hb_blob_is_immutable (hb_blob_get_empty ()));
   g_assert (hb_blob_get_empty () != NULL);
   g_assert (hb_blob_get_empty () == hb_blob_create (NULL, 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create ("asdf", 0, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create (NULL, -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
+  g_assert (hb_blob_get_empty () == hb_blob_create ("asdfg", -1, HB_MEMORY_MODE_READONLY, NULL, NULL));
 
   blob = hb_blob_get_empty ();
   g_assert (blob == hb_blob_get_empty ());