Fix crash on unicode "zero width non-joiner" sequence. b=217903 r+sr=dbaron

2024-10-10 20:05:49 +00:00 · 2005-08-31 00:35:17 +00:00 · 2005-08-31 00:35:17 +00:00 · 8f34e7d413
commit 8f34e7d413
parent 181feb8d67
2 changed files with 22 additions and 9 deletions
--- a/layout/base/nsBidiUtils.cpp
+++ b/layout/base/nsBidiUtils.cpp
@ -357,6 +357,7 @@ nsresult ArabicShaping(const PRUnichar* aString, PRUint32 aLen,
    *lDest++ = *lSrc++; 

  *aBufLen = lDest - aBuf;
+  NS_ASSERTION(*aBufLen <= aLen, "ArabicShaping() likely did a buffer overflow!");

  if (aOutputLogical) {
    ReverseString(aBuf, *aBufLen);
--- a/layout/generic/nsTextTransformer.cpp
+++ b/layout/generic/nsTextTransformer.cpp
@ -20,6 +20,7 @@
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
+ *   Mats Palmgren <mats.palmgren@bredband.net>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either of the GNU General Public License Version 2 or later (the "GPL"),
@ -1488,7 +1489,13 @@ nsTextTransformer::DoArabicShaping(PRUnichar* aText,
  
  ArabicShaping(aText, buf.Length(), buffer, (PRUint32 *)&newLen, !isVisual, !isVisual);

-  aTextLength = newLen;
+  if (newLen <= aTextLength) {
+    aTextLength = newLen;
+  } else {
+    // Increasing |aTextLength| would cause a buffer overflow on |aText|
+    // by |StripZeroWidthJoinControls()| below.
+    NS_ERROR("ArabicShaping should not have increased the text length");
+  }
  *aWasTransformed = PR_TRUE;

  StripZeroWidthJoinControls(buffer, aText, aTextLength, aWasTransformed);
@ -1552,21 +1559,26 @@ nsTextTransformer::StripZeroWidthJoinControls(PRUnichar* aSource,
                                              PRInt32& aTextLength, 
                                              PRBool* aWasTransformed)
 {
-  PRUnichar *src, *dest;
-  PRInt32 stripped = 0;
+  if (aTextLength < 0) {
+    NS_ERROR("negative text length");
+    aTextLength = 0;
+    return;
+  }

-  src = aSource;
-  dest = aTarget;
+  const PRUnichar* src = aSource;
+  const PRUnichar* const end = aSource + aTextLength;
+  PRUnichar* dest = aTarget;

-  for (PRInt32 i = 0; i < aTextLength; ++i) {
-    while (*src == CH_ZWNJ || *src == CH_ZWJ) {
-      ++stripped;
+  while (src != end) {
+    if (*src == CH_ZWNJ || *src == CH_ZWJ) {
      ++src;
      *aWasTransformed = PR_TRUE;
+      continue;
    }
    *dest++ = *src++;
  }
-  aTextLength -= stripped;
+
+  aTextLength = dest - aTarget;
 }

 //----------------------------------------------------------------------