Re: [Fonts] A serious problem about freetype module

2003-02-11 Thread Chisato Yamauchi 
 The calculation of bpr looks a little unusual to me, but I don't know
 how all the parameters are used.
 
 I'll commit your patch now since it does help prevent a crash.

  Thanks.

  I confirmed that this buffer overflow occurs memcpy() in 
ftfuncs.c:


if(dx == 0  dy == 0  bpr == bitmap-pitch) {
memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch);
} else if(dx == 0) {


  'bitmap-rows * bitmap-pitch' sometimes exceeds 'ht*bpr' 
when displaying kochi-mincho.ttf, so X crashes.

  The following is a patch for improving safety.  Although 
not 'ht+2' but 'ht' is used, the crash does not occur.


Chisato Yamauchi


*** xc/lib/font/FreeType/ftfuncs.c._orig_   2003-02-09 21:02:43.0 +0900
--- xc/lib/font/FreeType/ftfuncs.c  2003-02-11 17:30:35.0 +0900
***
*** 600,627 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc((ht+2) * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, (ht+2) * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {
! memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch);
  } else if(dx == 0) {
! for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++)
! memcpy(raster + (i + dy) * bpr,
!bitmap-buffer + i * bitmap-pitch,
!bitmap-pitch);
  } else {
  for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++) {
  for(j = MAX(0, -dx); j  bitmap-width  j + dx  wd; j++) {
  int set;
  set = (bitmap-buffer[i * bitmap-pitch + j / 8] 
 1  (7 - j % 8));
! if(set)
! raster[(i + dy) * bpr + (j + dx) / 8] |=
! 1  (7 - (j + dx) % 8);
  }
  }
  }
--- 600,643 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc(ht * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, ht * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {
!   size_t cpy_size=bitmap-rows * bitmap-pitch;
!   if( ht*bpr  cpy_size ) cpy_size=ht*bpr;
! memcpy(raster, bitmap-buffer, cpy_size);
  } else if(dx == 0) {
! for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++){
!   int cpy_begin=(i + dy) * bpr;
!   size_t cpy_size=bitmap-pitch;
!   if( cpy_begin  ht*bpr ){
!   if( ht*bpr  cpy_begin+cpy_size ){
!   cpy_size = ht*bpr-cpy_begin;
!   }
!   memcpy(raster + cpy_begin,
!  bitmap-buffer + i * bitmap-pitch,
!  cpy_size);
!   }
!   }
  } else {
  for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++) {
  for(j = MAX(0, -dx); j  bitmap-width  j + dx  wd; j++) {
  int set;
  set = (bitmap-buffer[i * bitmap-pitch + j / 8] 
 1  (7 - j % 8));
! if(set){
!   int target = (i + dy) * bpr + (j + dx) / 8;
!   if( target  ht*bpr ){
!   raster[target] |= 1  (7 - (j + dx) % 8);
!   }
!   else{
!   break;
!   }
!   }
  }
  }
  }
___
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts

Re: [Fonts] A serious problem about freetype module

2003-02-08 Thread Chisato Yamauchi 
  Ok.

  This problem is buffer overflow fundamentally.  By applying
the following patch, the crash is avoidable.

*** xc/lib/font/FreeType/ftfuncs.c.orig 2002-10-03 00:06:12.0 +0900
--- xc/lib/font/FreeType/ftfuncs.c  2003-02-08 15:45:38.0 +0900
***
*** 600,609 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc(ht * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, ht * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {
--- 600,609 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc((ht+2) * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, (ht+2) * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {


  Not (ht+2) but (ht+1) may be more appropriate.  However, I
think that (ht+2) is safer.  Since the calculation of metric
may be wrong.

  I'd like the maintainer of freetype module to investigate
in detail.


Chisato Yamauchi
___
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts

Re: [Fonts] A serious problem about freetype module

2003-02-08 Thread Chisato Yamauchi 
 Can you reproduce this bug with ftview?
 

  No.

  I don't know how to view 2-bytes fonts with ftview.
This crash occurs only with jisx0208.1983 rgstry.
I also confirmed the crash with xfd.


Chisato Yamauchi
___
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts

[Fonts] A serious problem about freetype module

2003-02-07 Thread Chisato Yamauchi 
  Hi,

  There is a serious problem about freetype module in
XFree86-4.2.99.901.

  If 18-pixels of kochi-mincho.ttf (a famous Japanese font) 
is selected using xfontsel with jisx0208.1983, the X
server crashes.

  I investigated this problem a little.  This crash does not
occur when displaying embedded bitmap of kochi-mincho.ttf.
When the size of the font is 18 pixels or over, X crashes.

  Furthermore, according to my investigation, this crash 
occurs with the following code of ftfuncs.c.

ftrc = FT_Load_Glyph(instance-face-face, idx, 
 FT_LOAD_RENDER | FT_LOAD_MONOCHROME);


  This function seems not to be used in the old freetype 
module and xtt module.  This problem does not occurs in the 
old freetype module, and xtt module.  


  kochi-mincho.ttf is acquirable from the following.

  http://www.a.phys.nagoya-u.ac.jp/~cyamauch/kochi-mincho.ttf.gz

  And the fonts.dir is here.

kochi-mincho.ttf -kochi-mincho-medium-r-normal--0-0-0-0-c-0-jisx0208.1983-0


  First, please confirm this problem.  Thanks.


Chisato Yamauchi
___
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts