[Fontconfig] fontconfig crash for special bdf font
Akira TAGOH
akira at tagoh.org
Tue Jan 28 02:17:34 PST 2014
[Cc'ing freetype-devel and Werner]
That prop.u.atom is the result of calling FT_BDF_Get_Property though,
we are expecting to see the proper atom when prop.type is set to
BDF_PROPERTY_TYPE_ATOM. in this case IMHO prop.type should be set to
BDF_PROPERTY_TYPE_NONE and returns an error.
Werner, any comments for that?
On Tue, Jan 28, 2014 at 5:48 PM, Petr Gajdos <pgajdos at suse.cz> wrote:
> Hello,
>
> a crash in libfontconfig was reported to me. Run
>
> $ fc-query startchar.bdf
>
> (startchar.bdf is reproducer for buffer overflow
> in libXfont, see [1])
>
> The problem is following:
>
> Breakpoint 3, IA__FcFreeTypeQueryFace (face=0x608dd0,
> file=0x7fffffffebb9 "startchar.bdf", id=0, blanks=0x0) at
> fcfreetype.c:1591
> 1591 width = FcIsWidth ((FcChar8 *) prop.u.atom);
> (gdb) p prop.u.atom
> $6 = 0x0
>
> Following patch fixes problem for me, but maybe this is not correct
> place for this check.
>
> Index: src/fcstr.c
> ===================================================================
> --- src/fcstr.c.orig 2013-10-11 05:10:18.000000000 +0200
> +++ src/fcstr.c 2014-01-28 09:34:05.409800632 +0100
> @@ -26,6 +26,7 @@
> #include <stdlib.h>
> #include <ctype.h>
> #include <string.h>
> +#include <limits.h>
> #ifdef HAVE_REGEX_H
> #include <regex.h>
> #endif
> @@ -211,6 +212,7 @@
> FcChar8 c1, c2;
>
> if (s1 == s2) return 0;
> + if (!s1 || !s2) return INT_MAX;
>
> FcStrCaseWalkerInit (s1, &w1);
> FcStrCaseWalkerInit (s2, &w2);
>
> Petr
>
> [1]
> http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
>
>
> _______________________________________________
> Fontconfig mailing list
> Fontconfig at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/fontconfig
>
--
Akira TAGOH
More information about the Fontconfig
mailing list