Changeset 204502 in webkit

Timestamp:

Aug 16, 2016 2:43:04 AM (8 years ago)

Author:

pvollan@apple.com

Message:

[Win] Hardening of getLinkedFonts function.
​https://bugs.webkit.org/show_bug.cgi?id=160850

The SUCCEEDED macro should only be used for functions returning a HRESULT type.
Also, make sure a string array index will not exceed the string length.

• platform/graphics/win/FontCacheWin.cpp:

(WebCore::getLinkedFonts):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/graphics/win/FontCacheWin.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-16  Per Arne Vollan  <pvollan@apple.com>
+
+        [Win] Hardening of getLinkedFonts function.
+        https://bugs.webkit.org/show_bug.cgi?id=160850
+
+        The SUCCEEDED macro should only be used for functions returning a HRESULT type.
+        Also, make sure a string array index will not exceed the string length.
+
+        * platform/graphics/win/FontCacheWin.cpp:
+        (WebCore::getLinkedFonts):
+
 2016-08-16  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/platform/graphics/win/FontCacheWin.cpp

@@ -117 +117 @@
 
     WCHAR* linkedFonts = reinterpret_cast<WCHAR*>(malloc(linkedFontsBufferSize));
-    if (SUCCEEDED(RegQueryValueEx(fontLinkKey, family.charactersWithNullTermination().data(), 0, NULL, reinterpret_cast<BYTE*>(linkedFonts), &linkedFontsBufferSize))) {
+    if (::RegQueryValueEx(fontLinkKey, family.charactersWithNullTermination().data(), 0, nullptr, reinterpret_cast<BYTE*>(linkedFonts), &linkedFontsBufferSize) == ERROR_SUCCESS) {
         unsigned i = 0;
         unsigned length = linkedFontsBufferSize / sizeof(*linkedFonts);
@@ -123 +123 @@
             while (i < length && linkedFonts[i] != ',')
                 i++;
+            // Break if we did not find a comma.
+            if (i == length)
+                break;
             i++;
             unsigned j = i;