[Fontconfig] Re: [PATCH] fix crashes on malformed fonts.cache

Patrick Lam plam at MIT.EDU
Mon Feb 6 06:17:13 PST 2006

Dirk Mueller wrote:
>>Anyway, the real fix would be to drag the bytes_left_to_read parameter
>>around and verify against that one, since otherwise block_ptr will run out
>>of bounds (outside the mmaped area) and then crash.
> Turns out this is easier than I thought. although metadata.count doesn't seem 
> to be verified either. Anyway, this should work (yet untested): 

Yes, this is much better.  I've committed it.

Other places do not read a count directly from the file; instead, they
use the counts stored in the metadata struct.  I'm not sure why I didn't
store the number of patterns in metadata, but it must have seemed like a
good idea at the time.  It might have to do with the fact that we
actually alloc the FcPattern * array...

So if you want to make the rest of fontconfig's treatment of input sizes
robust, you need to check metadata when it gets read in fccache.c.  It's
sort of less of an issue, though, because those other input sizes don't
trigger any memory allocation.  They're just within the mmapped chunk.


More information about the Fontconfig mailing list