From c1e97b372e21edf9c7e45cfea0eca7f1a52fe9e5 Mon Sep 17 00:00:00 2001 From: herb Date: Thu, 5 Mar 2015 11:51:11 -0800 Subject: Fix uninitialized memory bug in the SkGlyphCache. The core of the problem is that the system is asked to lookup the metrics for a character with id == 0. This causes a hit in the fCharToGlyphHash matching the sentinel glyph. This happens because fCharToGlpyhHash is initialized with all zeros, therefore, the fID is zero matching the char with id == 0. The fAdvanceX field of the sentinel glyph is in fact not initialized. The bigger question is now did a zero character get passed to getUnicharMetrics? The breaking code is basically as follows: wchar_t glyph = L'S'; paint.measureText(&glyph, 2); This get mischaracterized as a utf8 string instead of a utf16(?) string. Because of the little endian ordering, this is the character string 'L' '\0'. Since the size of the original string is two bytes (but a single character) the '\0' is treated as its own character and past to getUnicharMetrics. TEST: On windows failed using DrMemory. With this change does not fail. BUG=463204 Review URL: https://codereview.chromium.org/977063002 --- src/core/SkGlyphCache.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'src/core/SkGlyphCache.h') diff --git a/src/core/SkGlyphCache.h b/src/core/SkGlyphCache.h index 200655bb41..d0b792f273 100644 --- a/src/core/SkGlyphCache.h +++ b/src/core/SkGlyphCache.h @@ -207,13 +207,15 @@ private: enum { kHashBits = 8, kHashCount = 1 << kHashBits, - kHashMask = kHashCount - 1, - kSentinelGlyphIndex = 0, - kSentinelGlyphID = ~0 + kHashMask = kHashCount - 1 }; - + // A quick lookup to avoid the binary search looking for glyphs in fGlyphArray. uint16_t fGlyphHash[kHashCount]; + // Contains the SkGlyphs that are used by fGlyphHash and fCharToGlyphHash. The zero element + // is reserved for a sentinel SkGlyph that reduces the logic to check for collisions in the + // hash arrays. The zero element has an fID of SkGlyph::kImpossibleID which never matches + // any combined id generated for a char or a glyph. SkTDArray fGlyphArray; SkChunkAlloc fGlyphAlloc; -- cgit v1.2.3