Compute Arabic shaping scratch buffer sizes in size_t#4042
Open
ubeddulla wants to merge 1 commit into
Open
Conversation
Author
|
I don't have Jira access to open an ICU ticket or get one accepted on my own, so I can't add the ICU-NNNNN prefix myself. If you can file one (or point me at an existing ticket), I'll update the PR title and reword the commit to match. This overlaps with #4043 (same file, sibling helpers), so a shared ticket would be fine if that's simpler on your end. |
Member
Please create a Jira account and then a ticket: https://icu.unicode.org/bugs
A combined ticket for both sounds fine. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Arabic shaping helpers in
ushape.cppsize their scratch buffers with(sourceLength + 1) * U_SIZEOF_UCHAR(and(destSize + 1) * U_SIZEOF_UCHAR) computed in 32-bitint, where the length ultimately comes from thesourceLengthpassed to the publicu_shapeArabic; a large input wraps the multiply and the allocation that follows is too small for the writes done afterwards.handleGeneratedSpacesalready has asize_toverflow guard, but it still does the multiply inint, so the value overflows before the guard can help on LP64, whileexpandCompositCharAtBegin,expandCompositCharAtEndandexpandCompositCharhave no guard at all. This computes the sizes insize_tand adds the same guard to the three sibling helpers.Checklist