> The calculation of "bpr" looks a little unusual to me, but I don't know
> how all the parameters are used.
>
> I'll commit your patch now since it does help prevent a crash.
Thanks.
I confirmed that this buffer overflow occurs memcpy() in
ftfuncs.c:
====
if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
memcpy(raster, bitmap->buffer, bitmap->rows * bitmap->pitch);
} else if(dx == 0) {
====
'bitmap->rows * bitmap->pitch' sometimes exceeds 'ht*bpr'
when displaying kochi-mincho.ttf, so X crashes.
The following is a patch for improving safety. Although
not 'ht+2' but 'ht' is used, the crash does not occur.
------------------------------------------------------------
Chisato Yamauchi
*** xc/lib/font/FreeType/ftfuncs.c._orig_ 2003-02-09 21:02:43.000000000 +0900
--- xc/lib/font/FreeType/ftfuncs.c 2003-02-11 17:30:35.000000000 +0900
***************
*** 600,627 ****
bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
-instance->bmfmt.glyph);
if(tgp) {
! raster = (char*)xalloc((ht+2) * bpr);
if(raster == NULL)
return AllocError;
! memset(raster, 0, (ht+2) * bpr);
}
if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
! memcpy(raster, bitmap->buffer, bitmap->rows * bitmap->pitch);
} else if(dx == 0) {
! for(i = MAX(0, -dy); i < bitmap->rows && i + dy < ht; i++)
! memcpy(raster + (i + dy) * bpr,
! bitmap->buffer + i * bitmap->pitch,
! bitmap->pitch);
} else {
for(i = MAX(0, -dy); i < bitmap->rows && i + dy < ht; i++) {
for(j = MAX(0, -dx); j < bitmap->width && j + dx < wd; j++) {
int set;
set = (bitmap->buffer[i * bitmap->pitch + j / 8] &
1 << (7 - j % 8));
! if(set)
! raster[(i + dy) * bpr + (j + dx) / 8] |=
! 1 << (7 - (j + dx) % 8);
}
}
}
--- 600,643 ----
bpr = (((wd + (instance->bmfmt.glyph<<3) - 1) >> 3) &
-instance->bmfmt.glyph);
if(tgp) {
! raster = (char*)xalloc(ht * bpr);
if(raster == NULL)
return AllocError;
! memset(raster, 0, ht * bpr);
}
if(dx == 0 && dy == 0 && bpr == bitmap->pitch) {
! size_t cpy_size=bitmap->rows * bitmap->pitch;
! if( ht*bpr < cpy_size ) cpy_size=ht*bpr;
! memcpy(raster, bitmap->buffer, cpy_size);
} else if(dx == 0) {
! for(i = MAX(0, -dy); i < bitmap->rows && i + dy < ht; i++){
! int cpy_begin=(i + dy) * bpr;
! size_t cpy_size=bitmap->pitch;
! if( cpy_begin < ht*bpr ){
! if( ht*bpr < cpy_begin+cpy_size ){
! cpy_size = ht*bpr-cpy_begin;
! }
! memcpy(raster + cpy_begin,
! bitmap->buffer + i * bitmap->pitch,
! cpy_size);
! }
! }
} else {
for(i = MAX(0, -dy); i < bitmap->rows && i + dy < ht; i++) {
for(j = MAX(0, -dx); j < bitmap->width && j + dx < wd; j++) {
int set;
set = (bitmap->buffer[i * bitmap->pitch + j / 8] &
1 << (7 - j % 8));
! if(set){
! int target = (i + dy) * bpr + (j + dx) / 8;
! if( target < ht*bpr ){
! raster[target] |= 1 << (7 - (j + dx) % 8);
! }
! else{
! break;
! }
! }
}
}
}
_______________________________________________
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts
