From 676947ce0204914da1d8fb159730432c0fb0a3a2 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Thu, 24 Mar 2016 11:09:45 -0700
Subject: Added bounds checking to GetNameFromTT to handle corrupt files.

Patch by forshaw.

This patch adds bounds checking to the names buffer passed to GetNameFromTT.
There are observed crashes in this function where data is read outside of
the bounds allocated and passed to GetNameFromTT. There's no reason that
this function should ever try and read outside of the allocated bounds.

BUG=583037
TBR=forshaw@chromium.org

patch from issue 1829013002 at patchset 40001 (http://crrev.com/1829013002#ps40001)

Review URL: https://codereview.chromium.org/1830243003 .
---
 core/include/fxge/fx_font.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'core/include/fxge/fx_font.h')

diff --git a/core/include/fxge/fx_font.h b/core/include/fxge/fx_font.h
index 964a3793ca..7bfe0c22f3 100644
--- a/core/include/fxge/fx_font.h
+++ b/core/include/fxge/fx_font.h
@@ -541,7 +541,9 @@ class IFX_GSUBTable {
   virtual ~IFX_GSUBTable() {}
 };
 
-CFX_ByteString GetNameFromTT(const uint8_t* name_table, FX_DWORD name);
+CFX_ByteString GetNameFromTT(const uint8_t* name_table,
+                             FX_DWORD name_table_size,
+                             FX_DWORD name);
 
 int PDF_GetStandardFontName(CFX_ByteString* name);
 
-- 
cgit v1.2.3