Dirk Mueller wrote: > >>Anyway, the real fix would be to drag the bytes_left_to_read parameter >>around and verify against that one, since otherwise block_ptr will run out >>of bounds (outside the mmaped area) and then crash. > > Turns out this is easier than I thought. although metadata.count doesn't seem > to be verified either. Anyway, this should work (yet untested): Yes, this is much better. I've committed it. Other places do not read a count directly from the file; instead, they use the counts stored in the metadata struct. I'm not sure why I didn't store the number of patterns in metadata, but it must have seemed like a good idea at the time. It might have to do with the fact that we actually alloc the FcPattern * array... So if you want to make the rest of fontconfig's treatment of input sizes robust, you need to check metadata when it gets read in fccache.c. It's sort of less of an issue, though, because those other input sizes don't trigger any memory allocation. They're just within the mmapped chunk. pat _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig
