Ok.
This problem is buffer overflow fundamentally. By applying
the following patch, the crash is avoidable.
*** xc/lib/font/FreeType/ftfuncs.c.orig 2002-10-03 00:06:12.000000000 +0900
--- xc/lib/font/FreeType/ftfuncs.c 2003-02-08 15:45:38.000000000 +0900
***************
*** 600,609 ****
bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
-instance->bmfmt.glyph);
if(tgp) {
! raster = (char*)xalloc(ht * bpr);
if(raster == NULL)
return AllocError;
! memset(raster, 0, ht * bpr);
}
if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
--- 600,609 ----
bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
-instance->bmfmt.glyph);
if(tgp) {
! raster = (char*)xalloc((ht+2) * bpr);
if(raster == NULL)
return AllocError;
! memset(raster, 0, (ht+2) * bpr);
}
if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
Not (ht+2) but (ht+1) may be more appropriate. However, I
think that (ht+2) is safer. Since the calculation of metric
may be wrong.
I'd like the maintainer of "freetype" module to investigate
in detail.
------------------------------------------------------------
Chisato Yamauchi
_______________________________________________
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts
