[Fontconfig] fontconfig crash for special bdf font
Petr Gajdos
pgajdos at suse.cz
Tue Jan 28 00:48:02 PST 2014
Hello,
a crash in libfontconfig was reported to me. Run
$ fc-query startchar.bdf
(startchar.bdf is reproducer for buffer overflow
in libXfont, see [1])
The problem is following:
Breakpoint 3, IA__FcFreeTypeQueryFace (face=0x608dd0,
file=0x7fffffffebb9 "startchar.bdf", id=0, blanks=0x0) at
fcfreetype.c:1591
1591 width = FcIsWidth ((FcChar8 *) prop.u.atom);
(gdb) p prop.u.atom
$6 = 0x0
Following patch fixes problem for me, but maybe this is not correct
place for this check.
Index: src/fcstr.c
===================================================================
--- src/fcstr.c.orig 2013-10-11 05:10:18.000000000 +0200
+++ src/fcstr.c 2014-01-28 09:34:05.409800632 +0100
@@ -26,6 +26,7 @@
#include <stdlib.h>
#include <ctype.h>
#include <string.h>
+#include <limits.h>
#ifdef HAVE_REGEX_H
#include <regex.h>
#endif
@@ -211,6 +212,7 @@
FcChar8 c1, c2;
if (s1 == s2) return 0;
+ if (!s1 || !s2) return INT_MAX;
FcStrCaseWalkerInit (s1, &w1);
FcStrCaseWalkerInit (s2, &w2);
Petr
[1]
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: startchar.bdf
Type: application/x-font-bdf
Size: 6951 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/fontconfig/attachments/20140128/744dde6f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/fontconfig/attachments/20140128/744dde6f/attachment.pgp>
More information about the Fontconfig
mailing list