[Fontconfig] fontconfig: Branch 'master' - 3 commits

Akira TAGOH tagoh at kemper.freedesktop.org
Tue Nov 5 03:45:14 CET 2013 

 fc-glyphname/fc-glyphname.c |    2 +-
 fc-lang/fc-lang.c           |    2 +-
 src/fcname.c                |    2 ++
 src/fcstr.c                 |    8 ++++++--
 4 files changed, 10 insertions(+), 4 deletions(-)

New commits:
commit 0b7f42f777a14ee61783fd95dd04e870f02d201e
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Nov 2 10:23:57 2013 -0700

    Avoid null pointer dereference in FcNameParse if malloc fails
    
    Reported by parfait 1.3:
    Error: Null pointer dereference (CWE 476)
       Read from null pointer t
            at line 423 of src/fcname.c in function 'FcNameParse'.
              Function _FcObjectLookupOtherTypeByName may return constant 'NULL'
               at line 63, called at line 122 of src/fcobjs.c in function
               'FcObjectLookupOtherTypeByName'.
              Function FcObjectLookupOtherTypeByName may return constant 'NULL'
               at line 122, called at line 67 of src/fcname.c in function
               'FcNameGetObjectType'.
              Function FcNameGetObjectType may return constant 'NULL' at line 67,
               called at line 422 in function 'FcNameParse'.
              Null pointer introduced at line 63 of src/fcobjs.c in function
               '_FcObjectLookupOtherTypeByName'.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/src/fcname.c b/src/fcname.c
index 712b2fa..f302948 100644
--- a/src/fcname.c
+++ b/src/fcname.c
@@ -420,6 +420,8 @@ FcNameParse (const FcChar8 *name)
 		if ((c = FcNameGetConstant (save)))
 		{
 		    t = FcNameGetObjectType ((char *) c->object);
+		    if (t == NULL)
+			goto bail2;
 		    switch ((int) t->type) {
 		    case FcTypeInteger:
 		    case FcTypeDouble:
commit 5b8380d52eae55cba0adcc47d78a53c320d294ec
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Nov 2 10:23:56 2013 -0700

    Avoid memory leak when NULL path passed to FcStrBuildFilename
    
    Reported by parfait 1.3:
       Memory leak of pointer sset allocated with FcStrSetCreate()
            at line 933 of src/fcstr.c in function 'FcStrBuildFilename'.
              sset allocated at line 927 with FcStrSetCreate().
              sset leaks when sset != NULL at line 932.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/src/fcstr.c b/src/fcstr.c
index 5707172..024dae3 100644
--- a/src/fcstr.c
+++ b/src/fcstr.c
@@ -924,12 +924,16 @@ FcStrBuildFilename (const FcChar8 *path,
 		    ...)
 {
     va_list ap;
-    FcStrSet *sset = FcStrSetCreate ();
+    FcStrSet *sset;
     FcStrList *list;
     FcChar8 *s, *ret = NULL, *p;
     size_t len = 0;
 
-    if (!sset || !path)
+    if (!path)
+	return NULL;
+
+    sset = FcStrSetCreate ();
+    if (!sset)
 	return NULL;
 
     if (!FcStrSetAdd (sset, path))
commit cb72901d0b7dff73ea2596491c5db602e4750853
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Nov 2 10:23:55 2013 -0700

    Leave room for null terminators in arrays
    
    Code currently returns a fatal error if it tries to add more entries
    than the array has room for, but it wasn't checking to make sure
    the final null terminator entry would fit.
    
    Reported by parfait 1.3:
    Error: Buffer overrun
       Buffer overflow (CWE 120): In array dereference of files[i] with index i
          Array size is 256 elements (of 4 bytes each), index >= 0 and index <= 256
            at line 250 of fc-glyphname/fc-glyphname.c in function 'main'.
    Error: Buffer overrun
       Buffer overflow (CWE 120): In array dereference of entries[i] with index i
          Array size is 1024 elements (of 8 bytes each), index >= 0 and index <= 1024
            at line 298 of fc-lang/fc-lang.c in function 'main'.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/fc-glyphname/fc-glyphname.c b/fc-glyphname/fc-glyphname.c
index 8402781..078490a 100644
--- a/fc-glyphname/fc-glyphname.c
+++ b/fc-glyphname/fc-glyphname.c
@@ -233,7 +233,7 @@ dump (FcGlyphName * const *table, const char *name)
 int
 main (int argc FC_UNUSED, char **argv)
 {
-    char	*files[MAX_GLYPHFILE];
+    char	*files[MAX_GLYPHFILE + 1];
     char	line[1024];
     FILE	*f;
     int		i;
diff --git a/fc-lang/fc-lang.c b/fc-lang/fc-lang.c
index 0f4217f..38fc697 100644
--- a/fc-lang/fc-lang.c
+++ b/fc-lang/fc-lang.c
@@ -254,7 +254,7 @@ static int compare (const void *a, const void *b)
 int
 main (int argc FC_UNUSED, char **argv)
 {
-    static Entry	entries[MAX_LANG];
+    static Entry	entries[MAX_LANG + 1];
     static FcCharSet	*sets[MAX_LANG];
     static int		duplicate[MAX_LANG];
     static int		country[MAX_LANG];

More information about the Fontconfig mailing list