Re: [ft-devel] cff_get_name_index crash

2007-02-09 Thread Miles Bader 
Sean McBride [EMAIL PROTECTED] writes:
Neither are currently included in glibc (and some effort with google 
seems to indicate this is likely to stay this way for the foreseeable 
future)

 Really?  Oh well, that sucks.  :)

If you're interested in this sort of thing, it's probably a good idea to
read up on the _reason_ why the glibc maintainer won't include them.

-Miles
-- 
The car has become... an article of dress without which we feel uncertain,
unclad, and incomplete.  [Marshall McLuhan, Understanding Media, 1964]



___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

Re: [ft-devel] cff_get_name_index crash

2007-02-08 Thread Werner LEMBERG 
 Uses of ft_strcpy and ft_strcat could also be replaced with the
 strn* varieties, which would be some improvement.
 
 Agreed, the 'n' variety is not as good as the 'l' variety, but
 better than the status quo.

Patches, please. :-)

Note, however, that I'm not aware of a place where strcpy is used
unprotected.  In case you find something, please report it!


Werner


___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

Re: [ft-devel] cff_get_name_index crash

2007-02-07 Thread Werner LEMBERG 
 While trying to track down an evince crash (see
 http://bugzilla.gnome.org/show_bug.cgi?id=403791) I appear to have
 found an error in freetype, and I've got a patch to fix it.

Applied, thanks.


Werner


___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

Re: [ft-devel] cff_get_name_index crash

2007-02-07 Thread Sean McBride 
On 2007-02-06 17:28, Tom Parker said:

The strcmp is done without checking that the return value was sane, and

strcmp(), eh?  That made me curious

I searched the freetype code for strcpy() and found it is used (by way
of ft_strcpy()) quite a lot.  strcpy() is evil.  Someone might want to
consider doing the following replacements:

ft_strcpy, ft_strncpy - strlcpy
ft_strcat - strlcat

For info on why, see:
http://developer.apple.com/documentation/Security/Conceptual/
SecureCodingGuide/Articles/BufferOverflows.html

--

Sean McBride, B. Eng [EMAIL PROTECTED]
Rogue Researchwww.rogue-research.com
Mac Software Developer  Montréal, Québec, Canada




___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

Re: [ft-devel] cff_get_name_index crash

2007-02-07 Thread Tom Parker 

Sean McBride wrote:

ft_strcpy, ft_strncpy - strlcpy
ft_strcat - strlcat


Neither are currently included in glibc (and some effort with google 
seems to indicate this is likely to stay this way for the foreseeable 
future), and so if freetype wants to use those it would have to maintain 
it's own variants of them.


Uses of ft_strcpy and ft_strcat could also be replaced with the strn* 
varieties, which would be some improvement.


Tom Parker
--
[EMAIL PROTECTED] - http://tevp.net
Illegitimus non carborundum


___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

[ft-devel] cff_get_name_index crash

2007-02-06 Thread Tom Parker 
While trying to track down an evince crash (see 
http://bugzilla.gnome.org/show_bug.cgi?id=403791) I appear to have found 
an error in freetype, and I've got a patch to fix it. Stack trace 
without the patch is as follows:


#0  0x40d83d5a in strcmp () from /lib/tls/i686/cmov/libc.so.6
#1  0x412e7202 in cff_get_name_index (face=0x41c22ae0, 
glyph_name=0x412548d3 space)

at /local/palfrey/src/freetype2/src/cff/cffdrivr.c:273
#2  0x412c633c in FT_Get_Name_Index (face=0x41c22ae0, 
glyph_name=0x412548d3 space) at 
/local/palfrey/src/freetype2/src/base/ftobjs.c:2868
#3  0x401cc374 in CairoFont::create (gfxFont=0x41c204e0, xref=0x82a27e0, 
lib=0x82e61c8, useCIDs=1) at CairoFontEngine.cc:130
#4  0x401cc9ea in CairoFontEngine::getFont (this=0x82eaf08, 
gfxFont=0x41c204e0, xref=0x82a27e0) at CairoFontEngine.cc:353


The strcmp is done without checking that the return value was sane, and 
so it crashes. This is mainly due to the test file in question being 
horribly corrupted, but that's still not a good excuse for crashing. 
With the attached patch, it doesn't crash.


Thanks,

Tom Parker
--
[EMAIL PROTECTED] - http://tevp.net
Illegitimus non carborundum
? fix-strcmp.patch
? src/cff/.cffdrivr.c.swp
Index: src/cff/cffdrivr.c
===
RCS file: /sources/freetype/freetype2/src/cff/cffdrivr.c,v
retrieving revision 1.64
diff -u -r1.64 cffdrivr.c
--- src/cff/cffdrivr.c	17 Jan 2007 12:45:25 -	1.64
+++ src/cff/cffdrivr.c	6 Feb 2007 16:26:00 -
@@ -270,6 +270,8 @@
   else
 name = (FT_String *)psnames-adobe_std_strings( sid );
 
+  if (name == NULL)
+continue;
   result = ft_strcmp( glyph_name, name );
 
   if ( sid  390 )
___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel