fontconfig: Branch 'main' - 2 commits

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Jul 23 05:23:09 UTC 2025 

 fc-fontations/mod.rs                  |   10 +++++-----
 fc-fontations/pattern_bindings/mod.rs |    6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

New commits:
commit 1ce1ddd258e0f1f296d5755ad8b522bf8430f552
Merge: da02411 9e5a791
Author: Akira TAGOH <akira at tagoh.org>
Date:   Wed Jul 23 05:23:06 2025 +0000

    Merge branch 'fixUseAfterFree' into 'main'
    
    [Fontations] Fix use-after-free in handling exclusive lang
    
    See merge request fontconfig/fontconfig!454

commit 9e5a7916f15878553c0ef6722863acbdd188240b
Author: Dominik Röttsches <drott at chromium.org>
Date:   Tue Jul 22 15:42:22 2025 +0300

    [Fontations] Fix use-after-free in handling exclusive lang
    
    The exclusive_lang() function returns an Option<CString> which needs
    to be retained until the call to FcLangSetFromCharSet is completed.
    The CString owns the string memory, which we pass to FcLangSetFromCharSet.
    
    Previously, the code dropped the Option<CString> during the conversion
    to a char pointer, thus returning a pointer to dropped memory.
    
    Identified by ASAN in Chromium.

diff --git a/fc-fontations/mod.rs b/fc-fontations/mod.rs
index cd7f672..b7ac9e7 100644
--- a/fc-fontations/mod.rs
+++ b/fc-fontations/mod.rs
@@ -237,13 +237,13 @@ fn build_patterns_for_font(
 
     // CharSet and Langset.
     if let Some(charset) = charset::make_charset(font) {
-        let exclusive_lang =
-            exclusive_lang(font).map_or(std::ptr::null(), |lang| lang.as_bytes_with_nul().as_ptr());
+        let exclusive_lang = exclusive_lang(font);
 
         unsafe {
-            let langset =
-                FcLangSetWrapper::from_raw(FcLangSetFromCharSet(charset.as_ptr(), exclusive_lang)
-                    as *mut fontconfig_bindings::_FcLangSet);
+            let langset = FcLangSetWrapper::from_raw(FcLangSetFromCharSet(
+                charset.as_ptr(),
+                exclusive_lang.map_or(std::ptr::null(), |lang| lang.as_bytes_with_nul().as_ptr()),
+            ));
 
             pattern.append_element(PatternElement::new(
                 FC_CHARSET_OBJECT as i32,
diff --git a/fc-fontations/pattern_bindings/mod.rs b/fc-fontations/pattern_bindings/mod.rs
index f4b3f5d..6bf4248 100644
--- a/fc-fontations/pattern_bindings/mod.rs
+++ b/fc-fontations/pattern_bindings/mod.rs
@@ -28,9 +28,9 @@ use std::ffi::CString;
 use std::fmt::Debug;
 
 use fcint_bindings::{
-    FcPattern, FcPatternObjectAddBool, FcPatternObjectAddCharSet, FcPatternObjectAddDouble,
-    FcPatternObjectAddInteger, FcLangSet, FcPatternObjectAddLangSet, FcPatternObjectAddRange,
-    FcPatternObjectAddString, FC_FAMILY_OBJECT, FC_FILE_OBJECT,
+    FcLangSet, FcPattern, FcPatternObjectAddBool, FcPatternObjectAddCharSet,
+    FcPatternObjectAddDouble, FcPatternObjectAddInteger, FcPatternObjectAddLangSet,
+    FcPatternObjectAddRange, FcPatternObjectAddString, FC_FAMILY_OBJECT, FC_FILE_OBJECT,
 };
 
 use fc_wrapper::{FcCharSetWrapper, FcLangSetWrapper, FcPatternWrapper, FcRangeWrapper};

More information about the Fontconfig mailing list