commit 91e22d49d6e23a2d1138bfef186a9fb926341b86
author Seigo Nonaka <nona@google.com> Mon Jul 10 17:12:48 2017 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Wed Sep 13 22:04:51 2017 +0000
tree 57f6aa78be7e72d818044201298f448d70137d7f
parent 7ecc184daa5616047da7cc5e2b2e9393a86f7be7

Reject unsorted cmap entries. DO NOT MERGE

addRange assumes the passing ranges are sorted in ascending order which
is a part of OpenType spec, but bad fonts can pass arbitrary ranges.
Now, addRange rejects invalid input and stop using such bad fonts.

Bug: 32178311
Test: mmma -j1024 cts/tests/tests/graphics/
      adb install -r $OUT/data/app/CtsGraphicsTestCases/CtsGraphicsTestCases.apk
      adb shell am instrument -w -e class android.graphics.cts.TypefaceTest
      com.android.cts.graphics/android.support.test.runner.AndroidJUnitRunner
Change-Id: Ice845a1206e1c9da08ea20c7b56fde2e6ec8b673
(cherry picked from commit 66a7640f69b91fcf5de70c76d5f16e63f0803f29)

libs/minikin/CmapCoverage.cpp

diff --git a/libs/minikin/CmapCoverage.cpp b/libs/minikin/CmapCoverage.cpp
index a4503af..eb46c41 100644
--- a/libs/minikin/CmapCoverage.cpp
+++ b/libs/minikin/CmapCoverage.cpp
@@ -37,15 +37,25 @@
         ((uint32_t)data[offset + 2]) << 8 | ((uint32_t)data[offset + 3]);
 }
 
-static void addRange(vector<uint32_t> &coverage, uint32_t start, uint32_t end) {
+// The start must be larger than or equal to coverage.back() if coverage is not empty.
+// Returns true if the range is appended. Otherwise returns false as an error.
+static bool addRange(vector<uint32_t> &coverage, uint32_t start, uint32_t end) {
 #ifdef VERBOSE_DEBUG
     ALOGD("adding range %d-%d\n", start, end);
 #endif
     if (coverage.empty() || coverage.back() < start) {
         coverage.push_back(start);
         coverage.push_back(end);
-    } else {
+        return true;
+    } else if (coverage.back() == start) {
         coverage.back() = end;
+        return true;
+    } else {
+        // Reject unordered range input since SparseBitSet assumes that the given range vector is
+        // sorted. OpenType specification says cmap entries are sorted in order of code point
+        // values, thus for OpenType compliant font files, we don't reach here.
+        android_errorWriteLog(0x534e4554, "32178311");
+        return false;
     }
 }
 
@@ -74,11 +84,15 @@
         if (rangeOffset == 0) {
             uint32_t delta = readU16(data, kHeaderSize + 2 * (2 * segCount + i));
             if (((end + delta) & 0xffff) > end - start) {
-                addRange(coverage, start, end + 1);
+                if (!addRange(coverage, start, end + 1)) {
+                    return false;
+                }
             } else {
                 for (uint32_t j = start; j < end + 1; j++) {
                     if (((j + delta) & 0xffff) != 0) {
-                        addRange(coverage, j, j + 1);
+                        if (!addRange(coverage, j, j + 1)) {
+                            return false;
+                        }
                     }
                 }
             }
@@ -92,7 +106,9 @@
                 }
                 uint32_t glyphId = readU16(data, actualRangeOffset);
                 if (glyphId != 0) {
-                    addRange(coverage, j, j + 1);
+                    if (!addRange(coverage, j, j + 1)) {
+                        return false;
+                    }
                 }
             }
         }
@@ -126,7 +142,9 @@
             android_errorWriteLog(0x534e4554, "26413177");
             return false;
         }
-        addRange(coverage, start, end + 1);  // file is inclusive, vector is exclusive
+        if (!addRange(coverage, start, end + 1)) {  // file is inclusive, vector is exclusive
+            return false;
+        }
     }
     return true;
 }