diff -r 617fcb4b52f8 -r 78f5508cde89 jdk/src/java.desktop/share/native/libfontmanager/layout/IndicRearrangementProcessor2.cpp --- a/jdk/src/java.desktop/share/native/libfontmanager/layout/IndicRearrangementProcessor2.cpp Fri Jul 24 09:44:32 2015 -0700 +++ b/jdk/src/java.desktop/share/native/libfontmanager/layout/IndicRearrangementProcessor2.cpp Wed Jul 29 11:04:39 2015 -0700 @@ -74,14 +74,14 @@ } if (flags & irfMarkFirst) { - firstGlyph = currGlyph; + firstGlyph = (le_uint32)currGlyph; } if (flags & irfMarkLast) { - lastGlyph = currGlyph; + lastGlyph = (le_uint32)currGlyph; } - doRearrangementAction(glyphStorage, (IndicRearrangementVerb) (flags & irfVerbMask)); + doRearrangementAction(glyphStorage, (IndicRearrangementVerb) (flags & irfVerbMask), success); if (!(flags & irfDontAdvance)) { currGlyph += dir; @@ -94,18 +94,29 @@ { } -void IndicRearrangementProcessor2::doRearrangementAction(LEGlyphStorage &glyphStorage, IndicRearrangementVerb verb) const +void IndicRearrangementProcessor2::doRearrangementAction(LEGlyphStorage &glyphStorage, IndicRearrangementVerb verb, LEErrorCode &success) const { LEGlyphID a, b, c, d; le_int32 ia, ib, ic, id, ix, x; - LEErrorCode success = LE_NO_ERROR; + + if (LE_FAILURE(success)) return; + + if (verb == irvNoAction) { + return; + } + if (firstGlyph > lastGlyph) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return; + } switch(verb) { - case irvNoAction: + case irvxA: + if (firstGlyph == lastGlyph) break; + if (firstGlyph + 1 < firstGlyph) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; break; - - case irvxA: + } a = glyphStorage[firstGlyph]; ia = glyphStorage.getCharIndex(firstGlyph, success); x = firstGlyph + 1; @@ -122,6 +133,11 @@ break; case irvDx: + if (firstGlyph == lastGlyph) break; + if (lastGlyph - 1 > lastGlyph) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } d = glyphStorage[lastGlyph]; id = glyphStorage.getCharIndex(lastGlyph, success); x = lastGlyph - 1; @@ -150,6 +166,11 @@ break; case irvxAB: + if ((firstGlyph + 2 < firstGlyph) || + (lastGlyph - firstGlyph < 1)) { // difference == 1 is a no-op, < 1 is an error. + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; ia = glyphStorage.getCharIndex(firstGlyph, success); @@ -171,6 +192,11 @@ break; case irvxBA: + if ((firstGlyph + 2 < firstGlyph) || + (lastGlyph - firstGlyph < 1)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; ia = glyphStorage.getCharIndex(firstGlyph, success); @@ -192,6 +218,11 @@ break; case irvCDx: + if ((lastGlyph - 2 > lastGlyph) || + (lastGlyph - firstGlyph < 1)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } c = glyphStorage[lastGlyph - 1]; d = glyphStorage[lastGlyph]; ic = glyphStorage.getCharIndex(lastGlyph - 1, success); @@ -213,6 +244,11 @@ break; case irvDCx: + if ((lastGlyph - 2 > lastGlyph) || + (lastGlyph - firstGlyph < 1)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } c = glyphStorage[lastGlyph - 1]; d = glyphStorage[lastGlyph]; ic = glyphStorage.getCharIndex(lastGlyph - 1, success); @@ -234,6 +270,11 @@ break; case irvCDxA: + if ((lastGlyph - 2 > lastGlyph) || + (lastGlyph - firstGlyph < 2)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; c = glyphStorage[lastGlyph - 1]; d = glyphStorage[lastGlyph]; @@ -259,6 +300,11 @@ break; case irvDCxA: + if ((lastGlyph - 2 > lastGlyph) || + (lastGlyph - firstGlyph < 2)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; c = glyphStorage[lastGlyph - 1]; d = glyphStorage[lastGlyph]; @@ -284,6 +330,11 @@ break; case irvDxAB: + if ((firstGlyph + 2 < firstGlyph) || + (lastGlyph - firstGlyph < 2)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; d = glyphStorage[lastGlyph]; @@ -309,6 +360,11 @@ break; case irvDxBA: + if ((firstGlyph + 2 < firstGlyph) || + (lastGlyph - firstGlyph < 2)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; d = glyphStorage[lastGlyph]; @@ -334,6 +390,10 @@ break; case irvCDxAB: + if (lastGlyph - firstGlyph < 3) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; @@ -356,6 +416,10 @@ break; case irvCDxBA: + if (lastGlyph - firstGlyph < 3) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; @@ -378,6 +442,10 @@ break; case irvDCxAB: + if (lastGlyph - firstGlyph < 3) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1]; @@ -400,6 +468,10 @@ break; case irvDCxBA: + if (lastGlyph - firstGlyph < 3) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + break; + } a = glyphStorage[firstGlyph]; b = glyphStorage[firstGlyph + 1];