Hi,
This one fixes a memory overrun when a fonts.cache file is slightly malformed.
other places probably need similiar fixes.
Thanks,
Dirk
2006-02-01 Dirk Mueller <dmueller@xxxxxxx>
* fcfs.c (FcFontSetUnserialize): Make sure there is no
integer overflow when reading the cache file.
Index: src/fcfs.c
===================================================================
RCS file: /cvs/fontconfig/fontconfig/src/fcfs.c,v
retrieving revision 1.4.4.8
diff -u -3 -d -p -r1.4.4.8 fcfs.c
--- src/fcfs.c 25 Nov 2005 15:50:33 -0000 1.4.4.8
+++ src/fcfs.c 1 Feb 2006 19:04:23 -0000
@@ -159,23 +159,23 @@ FcFontSetUnserialize(FcCache * metadata,
nfont = *(int *)block_ptr;
block_ptr = (int *)block_ptr + 1;
- if (s->sfont < s->nfont + nfont)
- {
- int sfont = s->nfont + nfont;
- FcPattern ** pp;
- pp = realloc (s->fonts, sfont * sizeof (FcPattern));
- if (!pp)
- return FcFalse;
- s->fonts = pp;
- s->sfont = sfont;
- }
- n = s->nfont;
- s->nfont += nfont;
-
- if (nfont > 0)
+ if (nfont > 0 && s->nfont < s->nfont + nfont)
{
FcPattern * p = (FcPattern *)block_ptr;
+ if (s->sfont < s->nfont + nfont)
+ {
+ int sfont = s->nfont + nfont;
+ FcPattern ** pp;
+ pp = realloc (s->fonts, sfont * sizeof (FcPattern));
+ if (!pp)
+ return FcFalse;
+ s->fonts = pp;
+ s->sfont = sfont;
+ }
+ n = s->nfont;
+ s->nfont += nfont;
+
/* The following line is a bit counterintuitive. The usual
* convention is that FcPatternUnserialize is responsible for
* aligning the FcPattern. However, the FontSet also stores
@@ -187,7 +187,7 @@ FcFontSetUnserialize(FcCache * metadata,
block_ptr = FcPatternUnserialize (metadata, block_ptr);
block_ptr = FcObjectUnserialize (metadata, block_ptr);
+ return block_ptr != 0;
}
-
- return block_ptr != 0;
+ return FcFalse;
}
_______________________________________________
Fontconfig mailing list
Fontconfig@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/fontconfig
