diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-14 11:32:18 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-14 15:23:48 +0000 |
commit | 82b53e95166ef361bc8963fb0b482e236e347ece (patch) | |
tree | af95b7ce41d81e612be1301e706df953889fb417 /chromium | |
parent | a3b4be8d0247ae89b061cabf02ed09aa76f07d7a (diff) | |
download | qtwebengine-chromium-82b53e95166ef361bc8963fb0b482e236e347ece.tar.gz |
[Backport] Fix security issue 895117
Fix invalid memory read
Buffer might be relocated inside replace_glyphs().
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117
Change-Id: Id57a6ad2379933ef1275e665d20ab7a7fd824e57
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc b/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc index 358450ee7f0..1acff3375a2 100644 --- a/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc +++ b/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc @@ -223,7 +223,8 @@ handle_variation_selector_cluster (const hb_ot_shape_normalize_context_t *c, uns /* The next two lines are some ugly lines... But work. */ if (font->get_variation_glyph (buffer->cur().codepoint, buffer->cur(+1).codepoint, &buffer->cur().glyph_index())) { - buffer->replace_glyphs (2, 1, &buffer->cur().codepoint); + hb_codepoint_t unicode = buffer->cur().codepoint; + buffer->replace_glyphs (2, 1, &unicode); } else { |