Re: [Fonts] A serious problem about freetype module
The calculation of bpr looks a little unusual to me, but I don't know how all the parameters are used. I'll commit your patch now since it does help prevent a crash. Thanks. I confirmed that this buffer overflow occurs memcpy() in ftfuncs.c: if(dx == 0 dy == 0 bpr == bitmap-pitch) { memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch); } else if(dx == 0) { 'bitmap-rows * bitmap-pitch' sometimes exceeds 'ht*bpr' when displaying kochi-mincho.ttf, so X crashes. The following is a patch for improving safety. Although not 'ht+2' but 'ht' is used, the crash does not occur. Chisato Yamauchi *** xc/lib/font/FreeType/ftfuncs.c._orig_ 2003-02-09 21:02:43.0 +0900 --- xc/lib/font/FreeType/ftfuncs.c 2003-02-11 17:30:35.0 +0900 *** *** 600,627 bpr = (((wd + (instance-bmfmt.glyph3) - 1) 3) -instance-bmfmt.glyph); if(tgp) { ! raster = (char*)xalloc((ht+2) * bpr); if(raster == NULL) return AllocError; ! memset(raster, 0, (ht+2) * bpr); } if(dx == 0 dy == 0 bpr == bitmap-pitch) { ! memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch); } else if(dx == 0) { ! for(i = MAX(0, -dy); i bitmap-rows i + dy ht; i++) ! memcpy(raster + (i + dy) * bpr, !bitmap-buffer + i * bitmap-pitch, !bitmap-pitch); } else { for(i = MAX(0, -dy); i bitmap-rows i + dy ht; i++) { for(j = MAX(0, -dx); j bitmap-width j + dx wd; j++) { int set; set = (bitmap-buffer[i * bitmap-pitch + j / 8] 1 (7 - j % 8)); ! if(set) ! raster[(i + dy) * bpr + (j + dx) / 8] |= ! 1 (7 - (j + dx) % 8); } } } --- 600,643 bpr = (((wd + (instance-bmfmt.glyph3) - 1) 3) -instance-bmfmt.glyph); if(tgp) { ! raster = (char*)xalloc(ht * bpr); if(raster == NULL) return AllocError; ! memset(raster, 0, ht * bpr); } if(dx == 0 dy == 0 bpr == bitmap-pitch) { ! size_t cpy_size=bitmap-rows * bitmap-pitch; ! if( ht*bpr cpy_size ) cpy_size=ht*bpr; ! memcpy(raster, bitmap-buffer, cpy_size); } else if(dx == 0) { ! for(i = MAX(0, -dy); i bitmap-rows i + dy ht; i++){ ! int cpy_begin=(i + dy) * bpr; ! size_t cpy_size=bitmap-pitch; ! if( cpy_begin ht*bpr ){ ! if( ht*bpr cpy_begin+cpy_size ){ ! cpy_size = ht*bpr-cpy_begin; ! } ! memcpy(raster + cpy_begin, ! bitmap-buffer + i * bitmap-pitch, ! cpy_size); ! } ! } } else { for(i = MAX(0, -dy); i bitmap-rows i + dy ht; i++) { for(j = MAX(0, -dx); j bitmap-width j + dx wd; j++) { int set; set = (bitmap-buffer[i * bitmap-pitch + j / 8] 1 (7 - j % 8)); ! if(set){ ! int target = (i + dy) * bpr + (j + dx) / 8; ! if( target ht*bpr ){ ! raster[target] |= 1 (7 - (j + dx) % 8); ! } ! else{ ! break; ! } ! } } } } ___ Fonts mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/fonts
Re: [Fonts] A serious problem about freetype module
Ok. This problem is buffer overflow fundamentally. By applying the following patch, the crash is avoidable. *** xc/lib/font/FreeType/ftfuncs.c.orig 2002-10-03 00:06:12.0 +0900 --- xc/lib/font/FreeType/ftfuncs.c 2003-02-08 15:45:38.0 +0900 *** *** 600,609 bpr = (((wd + (instance-bmfmt.glyph3) - 1) 3) -instance-bmfmt.glyph); if(tgp) { ! raster = (char*)xalloc(ht * bpr); if(raster == NULL) return AllocError; ! memset(raster, 0, ht * bpr); } if(dx == 0 dy == 0 bpr == bitmap-pitch) { --- 600,609 bpr = (((wd + (instance-bmfmt.glyph3) - 1) 3) -instance-bmfmt.glyph); if(tgp) { ! raster = (char*)xalloc((ht+2) * bpr); if(raster == NULL) return AllocError; ! memset(raster, 0, (ht+2) * bpr); } if(dx == 0 dy == 0 bpr == bitmap-pitch) { Not (ht+2) but (ht+1) may be more appropriate. However, I think that (ht+2) is safer. Since the calculation of metric may be wrong. I'd like the maintainer of freetype module to investigate in detail. Chisato Yamauchi ___ Fonts mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/fonts
Re: [Fonts] A serious problem about freetype module
Can you reproduce this bug with ftview? No. I don't know how to view 2-bytes fonts with ftview. This crash occurs only with jisx0208.1983 rgstry. I also confirmed the crash with xfd. Chisato Yamauchi ___ Fonts mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/fonts
[Fonts] A serious problem about freetype module
Hi, There is a serious problem about freetype module in XFree86-4.2.99.901. If 18-pixels of kochi-mincho.ttf (a famous Japanese font) is selected using xfontsel with jisx0208.1983, the X server crashes. I investigated this problem a little. This crash does not occur when displaying embedded bitmap of kochi-mincho.ttf. When the size of the font is 18 pixels or over, X crashes. Furthermore, according to my investigation, this crash occurs with the following code of ftfuncs.c. ftrc = FT_Load_Glyph(instance-face-face, idx, FT_LOAD_RENDER | FT_LOAD_MONOCHROME); This function seems not to be used in the old freetype module and xtt module. This problem does not occurs in the old freetype module, and xtt module. kochi-mincho.ttf is acquirable from the following. http://www.a.phys.nagoya-u.ac.jp/~cyamauch/kochi-mincho.ttf.gz And the fonts.dir is here. kochi-mincho.ttf -kochi-mincho-medium-r-normal--0-0-0-0-c-0-jisx0208.1983-0 First, please confirm this problem. Thanks. Chisato Yamauchi ___ Fonts mailing list [EMAIL PROTECTED] http://XFree86.Org/mailman/listinfo/fonts