[Fontconfig] Segfault within fc-list when not provided with a valid configuration

Matt Breedlove breedlove.matt at gmail.com
Mon Mar 9 06:09:14 PDT 2015 

Oops, my fault in not replying correction:

Alright, I've narrowed things down somewhat.  I've been building with
"-ggdb -Og" to make sure it wasn't a case of excessive optimization.  This
looks like it only appears when building with "--enable-static
--disable-shared"  I hadn't put much thought into that fact since 2.9.1
builds fine and runs without any issues when configured and built exactly
the same.  After 2.9.1, I have to have shared libs enabled or that crash
creeps in.

I've been using the static libs only so shared libs go unused and
extraneous.  With the crash being caused by an unchecked reference and the
same functionality restored once a check was put in, I didn't put much more
thought into it.  I believe I saw something about it using shared libs'
path to locate its config files which would explain why, when configured
this way, 2.9.1 isn't able to find the default Windows fonts but it had
never crashed as a result.  Naturally, if passed in a valid fontconfig path
using the FONTCONFIG_PATH env variable, the default fonts are found in both
versions and the crash naturally never takes place.  I only raised the
issue due to the segfault itself, however.  The only code paths I noticed
that didn't check for a null config were from when FcFontSetList and
FcFontList make calls to FcInitBringUptoDate which wasn't checking for a
null.  In every other function I saw, an explicit check was performed prior
to its use.

On Sat, Mar 7, 2015 at 1:32 PM, Matt Breedlove <breedlove.matt at gmail.com>
wrote:

> Alright, I've narrowed things down somewhat.  I've been building with
> "-ggdb -Og" to make sure it wasn't a case of excessive optimization.  This
> looks like it only appears when building with "--enable-static
> --disable-shared"  I hadn't put much thought into that fact since 2.9.1
> builds fine and runs without any issues when configured and built exactly
> the same.  After 2.9.1, I have to have shared libs enabled or that crash
> creeps in.
>
> I've been using the static libs only so shared libs go unused and
> extraneous.  With the crash being caused by an unchecked reference and the
> same functionality restored once a check was put in, I didn't put much more
> thought into it.  I believe I saw something about it using shared libs'
> path to locate its config files which would explain why, when configured
> this way, 2.9.1 isn't able to find the default Windows fonts but it had
> never crashed as a result.  Naturally, if passed in a valid fontconfig path
> using the FONTCONFIG_PATH env variable, the default fonts are found in both
> versions and the crash naturally never takes place.  I only raised the
> issue due to the segfault itself, however.  The only code paths I noticed
> that didn't check for a null config were from when FcFontSetList and
> FcFontList make calls to FcInitBringUptoDate which wasn't checking for a
> null.  In every other function I saw, an explicit check was performed prior
> to its use.
>
> On Sat, Mar 7, 2015 at 11:20 AM, Matt Breedlove <breedlove.matt at gmail.com>
> wrote:
>
>> I can take a further look into the code differences between 2.11.1 and
>> 2.11.91 to see if I can pinpoint what  change may be causing it but after
>> 2.11.1, it happens with consistency.  I haven't noticed any other
>> problematic behavior elsewhere, though.  After putting that check into
>> place, the two releases appear to function identically so I assumed 2.11.1
>> just bails out before ever reaching that point and some type of correction
>> dealing with blank/invalid config's might have just been fixed allowing
>> fc-list to finally reach this point in the code.
>>
>> On Thu, Mar 5, 2015 at 9:02 PM, Akira TAGOH <akira at tagoh.org> wrote:
>>
>>> Thanks. but how often does it happen? I think it's only when the memory
>>> allocation failed though.
>>>
>>> On Thu, Mar 5, 2015 at 10:36 PM, Matt Breedlove <
>>> breedlove.matt at gmail.com> wrote:
>>>
>>>> Beginning with version 2.11.91 up to trunk:
>>>>
>>>> In fcinit.c, the FcInitBringUptoDate function doesn't properly validate
>>>> the return value for FcConfigGetCurrent() leading to a segfault when
>>>> attempting to reference config->rescanInterval.
>>>>
>>>> fc-list suffers from this problem and crashes as a result when not
>>>> provided with a valid fontconfig file.  Versions prior to 2.11.91 don't
>>>> exhibit the same behavior.
>>>>
>>>> mingw-w64 / gcc 4.92 / Windows 8.1 x64
>>>>
>>>>
>>>> diff --git a/src/fcinit.c b/src/fcinit.c
>>>> index db62c21..1315a52 100644
>>>> --- a/src/fcinit.c
>>>> +++ b/src/fcinit.c
>>>> @@ -209,6 +209,9 @@ FcInitBringUptoDate (void)
>>>>      FcConfig   *config = FcConfigGetCurrent ();
>>>>      time_t     now;
>>>>
>>>> +    if (!config)
>>>> +        return FcFalse;
>>>> +
>>>>      /*
>>>>       * rescanInterval == 0 disables automatic up to date
>>>>       */
>>>>
>>>> Matt Breedlove
>>>>
>>>> _______________________________________________
>>>> Fontconfig mailing list
>>>> Fontconfig at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/fontconfig
>>>>
>>>>
>>>
>>>
>>> --
>>> Akira TAGOH
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/fontconfig/attachments/20150309/3ba3c6b9/attachment-0001.html>

More information about the Fontconfig mailing list