[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Buffer overflow in the autohinting code.
|
From: |
Ram'on Garc'ia Fern'andez |
|
Subject: |
Buffer overflow in the autohinting code. |
|
Date: |
Thu, 24 Aug 2000 20:27:48 +0200 |
|
User-agent: |
Mutt/1.2i |
Hello,
I was testing ft2lint and ft2view with arial.ttf from
http://www.microsoft.com/typography/. They crashed in malloc. The
problem appears to be a buffer overflow. According to Electic Fence,
the problem happens in the line:
memset( segment, 0, sizeof ( *segment ) ); (ahglyph.c: 647)
I believe that this patch fixes the bug. However, I am not familiar
with the code of Freetype, so please review it before accepting. In
my opinion the problem is that in the function the code in
ah_outline_load does not take into account that two additional segments
are needed if AH_HINT_METRICS is on.
Ramon
*** ahglyph.c 2000/08/24 17:57:20 1.1
--- ahglyph.c 2000/08/24 18:22:34
***************
*** 196,207 ****
if ( num_points > outline->max_points )
{
FT_Int news = ( num_points + 7 ) & -8;
FT_Int max = outline->max_points;
if ( REALLOC_ARRAY( outline->points, max, news, AH_Point ) ||
REALLOC_ARRAY( outline->horz_edges, max, news, AH_Edge ) ||
! REALLOC_ARRAY( outline->horz_segments, max, news, AH_Segment ) )
goto Exit;
/* readjust some pointers */
--- 196,213 ----
if ( num_points > outline->max_points )
{
FT_Int news = ( num_points + 7 ) & -8;
+ FT_Int news_segments = news;
FT_Int max = outline->max_points;
+ FT_Int max_segments = max;
+ #ifdef AH_HINT_METRICS
+ news_segments = news_segments + 2;
+ max_segments = max_segments + 2;
+ #endif
if ( REALLOC_ARRAY( outline->points, max, news, AH_Point ) ||
REALLOC_ARRAY( outline->horz_edges, max, news, AH_Edge ) ||
! REALLOC_ARRAY( outline->horz_segments, max_segments,
news_segments, AH_Segment ) )
goto Exit;
/* readjust some pointers */
- Buffer overflow in the autohinting code.,
Ram'on Garc'ia Fern'andez <=