[Cc'ing freetype-devel and Werner] That prop.u.atom is the result of calling FT_BDF_Get_Property though, we are expecting to see the proper atom when prop.type is set to BDF_PROPERTY_TYPE_ATOM. in this case IMHO prop.type should be set to BDF_PROPERTY_TYPE_NONE and returns an error. Werner, any comments for that? On Tue, Jan 28, 2014 at 5:48 PM, Petr Gajdos <pgajdos@xxxxxxx> wrote: > Hello, > > a crash in libfontconfig was reported to me. Run > > $ fc-query startchar.bdf > > (startchar.bdf is reproducer for buffer overflow > in libXfont, see [1]) > > The problem is following: > > Breakpoint 3, IA__FcFreeTypeQueryFace (face=0x608dd0, > file=0x7fffffffebb9 "startchar.bdf", id=0, blanks=0x0) at > fcfreetype.c:1591 > 1591 width = FcIsWidth ((FcChar8 *) prop.u.atom); > (gdb) p prop.u.atom > $6 = 0x0 > > Following patch fixes problem for me, but maybe this is not correct > place for this check. > > Index: src/fcstr.c > =================================================================== > --- src/fcstr.c.orig 2013-10-11 05:10:18.000000000 +0200 > +++ src/fcstr.c 2014-01-28 09:34:05.409800632 +0100 > @@ -26,6 +26,7 @@ > #include <stdlib.h> > #include <ctype.h> > #include <string.h> > +#include <limits.h> > #ifdef HAVE_REGEX_H > #include <regex.h> > #endif > @@ -211,6 +212,7 @@ > FcChar8 c1, c2; > > if (s1 == s2) return 0; > + if (!s1 || !s2) return INT_MAX; > > FcStrCaseWalkerInit (s1, &w1); > FcStrCaseWalkerInit (s2, &w2); > > Petr > > [1] > http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63 > > > _______________________________________________ > Fontconfig mailing list > Fontconfig@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/fontconfig > -- Akira TAGOH _______________________________________________ Fontconfig mailing list Fontconfig@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/fontconfig
