On Sun, Feb 09, 2003 at 10:48:58AM +0900, Chisato Yamauchi wrote:
> Ok.
>
> This problem is buffer overflow fundamentally. By applying
>the following patch, the crash is avoidable.
The calculation of "bpr" looks a little unusual to me, but I don't know
how all the parameters are used.
I'll commit your patch now since it does help prevent a crash.
Thanks.
David
--
David Dawes
Release Engineer/Architect The XFree86 Project
www.XFree86.org/~dawes
>
>*** xc/lib/font/FreeType/ftfuncs.c.orig 2002-10-03 00:06:12.000000000 +0900
>--- xc/lib/font/FreeType/ftfuncs.c 2003-02-08 15:45:38.000000000 +0900
>***************
>*** 600,609 ****
> bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
> -instance->bmfmt.glyph);
> if(tgp) {
>! raster = (char*)xalloc(ht * bpr);
> if(raster == NULL)
> return AllocError;
>! memset(raster, 0, ht * bpr);
> }
>
> if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
>--- 600,609 ----
> bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
> -instance->bmfmt.glyph);
> if(tgp) {
>! raster = (char*)xalloc((ht+2) * bpr);
> if(raster == NULL)
> return AllocError;
>! memset(raster, 0, (ht+2) * bpr);
> }
>
> if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
>
>
> Not (ht+2) but (ht+1) may be more appropriate. However, I
>think that (ht+2) is safer. Since the calculation of metric
>may be wrong.
>
> I'd like the maintainer of "freetype" module to investigate
>in detail.
>
>------------------------------------------------------------
> Chisato Yamauchi
>_______________________________________________
>Fonts mailing list
>[EMAIL PROTECTED]
>http://XFree86.Org/mailman/listinfo/fonts
_______________________________________________
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts
