[Backport] Fix security issue 895117

Fix invalid memory read Buffer might be relocated inside replace_glyphs(). Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117 Change-Id: Id57a6ad2379933ef1275e665d20ab7a7fd824e57 Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-14 11:32:18 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-02-14 15:23:48 +0000
commit: 82b53e95166ef361bc8963fb0b482e236e347ece (patch)
tree: af95b7ce41d81e612be1301e706df953889fb417 /chromium
parent: a3b4be8d0247ae89b061cabf02ed09aa76f07d7a (diff)
download: qtwebengine-chromium-82b53e95166ef361bc8963fb0b482e236e347ece.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc b/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc
index 358450ee7f0..1acff3375a2 100644
--- a/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc
+++ b/chromium/third_party/harfbuzz-ng/src/src/hb-ot-shape-normalize.cc
@@ -223,7 +223,8 @@ handle_variation_selector_cluster (const hb_ot_shape_normalize_context_t *c, uns
       /* The next two lines are some ugly lines... But work. */
       if (font->get_variation_glyph (buffer->cur().codepoint, buffer->cur(+1).codepoint, &buffer->cur().glyph_index()))
       {
-	buffer->replace_glyphs (2, 1, &buffer->cur().codepoint);
+	hb_codepoint_t unicode = buffer->cur().codepoint;
+	buffer->replace_glyphs (2, 1, &unicode);
       }
       else
       {
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-14 11:32:18 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-02-14 15:23:48 +0000
commit	82b53e95166ef361bc8963fb0b482e236e347ece (patch)
tree	af95b7ce41d81e612be1301e706df953889fb417 /chromium
parent	a3b4be8d0247ae89b061cabf02ed09aa76f07d7a (diff)
download	qtwebengine-chromium-82b53e95166ef361bc8963fb0b482e236e347ece.tar.gz