Re: [ft-devel] [Fontconfig] fontconfig crash for special bdf font

[Akira TAGOH]

[Cc'ing freetype-devel and Werner]

That prop.u.atom is the result of calling FT_BDF_Get_Property though,
we are expecting to see the proper atom when prop.type is set to
BDF_PROPERTY_TYPE_ATOM. in this case IMHO prop.type should be set to
BDF_PROPERTY_TYPE_NONE and returns an error.

Werner, any comments for that?

On Tue, Jan 28, 2014 at 5:48 PM, Petr Gajdos <address@hidden> wrote:
> Hello,
>
> a crash in libfontconfig was reported to me. Run
>
> $ fc-query startchar.bdf
>
> (startchar.bdf is reproducer for buffer overflow
> in libXfont, see [1])
>
> The problem is following:
>
> Breakpoint 3, IA__FcFreeTypeQueryFace (face=0x608dd0,
> file=0x7fffffffebb9 "startchar.bdf", id=0, blanks=0x0) at
> fcfreetype.c:1591
> 1591                width = FcIsWidth ((FcChar8 *) prop.u.atom);
> (gdb) p prop.u.atom
> $6 = 0x0
>
> Following patch fixes problem for me, but maybe this is not correct
> place for this check.
>
> Index: src/fcstr.c
> ===================================================================
> --- src/fcstr.c.orig    2013-10-11 05:10:18.000000000 +0200
> +++ src/fcstr.c 2014-01-28 09:34:05.409800632 +0100
> @@ -26,6 +26,7 @@
>  #include <stdlib.h>
>  #include <ctype.h>
>  #include <string.h>
> +#include <limits.h>
>  #ifdef HAVE_REGEX_H
>  #include <regex.h>
>  #endif
> @@ -211,6 +212,7 @@
>      FcChar8        c1, c2;
>
>      if (s1 == s2) return 0;
> +    if (!s1 || !s2) return INT_MAX;
>
>      FcStrCaseWalkerInit (s1, &w1);
>      FcStrCaseWalkerInit (s2, &w2);
>
> Petr
>
> [1]
> http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=4d024ac10f964f6bd372ae0dd14f02772a6e5f63
>
>
> _______________________________________________
> Fontconfig mailing list
> address@hidden
> http://lists.freedesktop.org/mailman/listinfo/fontconfig
>



-- 
Akira TAGOH