[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ft-devel] [patch] freetype-2.4.1/src/raster/ftraster.c: Decompose_Curve
|
From: |
Yuriy Kaminskiy |
|
Subject: |
[ft-devel] [patch] freetype-2.4.1/src/raster/ftraster.c: Decompose_Curve: access past allocated area |
|
Date: |
Thu, 05 Aug 2010 21:47:57 +0400 |
|
User-agent: |
Icedove 1.5.0.14eol (X11/20090105) |
While hunting another bug (still not sure mine/gcc/freetype, strange borkage
with type1 hinter, will report later), I found Decompose_Curve reads array past
allocated area, making valgrind unhappy:
=14635== Command: ./ftview 14 /usr/share/fonts/type1/gsfonts/a010013l.pfb
==14635== Parent PID: 5274
==14635==
==14635== Invalid read of size 4
==14635== at 0x4074D6D: Render_Single_Pass (ftraster.c:1934)
>> actually this is inside Decompose_Curve function (it was inlined)
==14635== by 0x40758C3: ft_black_render (ftraster.c:3235)
==14635== by 0x4074692: ft_raster1_render (ftrend1.c:216)
==14635== by 0x402E1C5: FT_Render_Glyph_Internal (ftobjs.c:3889)
==14635== by 0x403523B: FT_Glyph_To_Bitmap (ftglyph.c:566)
==14635== by 0x804D33C: FTDemo_Glyph_To_Bitmap (ftcommon.c:702)
==14635== by 0x804D66B: FTDemo_Index_To_Bitmap (ftcommon.c:887)
==14635== by 0x804D7BD: FTDemo_Draw_Index (ftcommon.c:932)
==14635== by 0x804B115: main (ftview.c:448)
==14635== Address 0x45c16d0 is 0 bytes after a block of size 408 alloc'd
==14635== at 0x401DBF8: malloc (vg_replace_malloc.c:195)
==14635== by 0x40295AC: ft_alloc (ftsystem.c:102)
==14635== by 0x402D4FA: ft_mem_qalloc (ftutil.c:76)
==14635== by 0x402F1C2: ft_mem_alloc (ftutil.c:55)
==14635== by 0x402F2AE: ft_mem_qrealloc (ftutil.c:145)
==14635== by 0x402F3DE: ft_mem_realloc (ftutil.c:101)
==14635== by 0x402F68C: FT_Outline_New_Internal (ftoutln.c:307)
==14635== by 0x402F77C: FT_Outline_New (ftoutln.c:337)
==14635== by 0x4034C94: ft_outline_glyph_init (ftglyph.c:174)
==14635== by 0x403530D: FT_Get_Glyph (ftglyph.c:405)
==14635== by 0x4078E0B: ftc_basic_family_load_glyph (ftcbasic.c:220)
==14635== by 0x4078D53: ftc_inode_new (ftcimage.c:79)
Patch attached.
Index: freetype-2.4.1/src/raster/ftraster.c
===================================================================
--- freetype-2.4.1.orig/src/raster/ftraster.c 2010-08-05 21:10:39.000000000
+0400
+++ freetype-2.4.1/src/raster/ftraster.c 2010-08-05 21:31:38.000000000
+0400
@@ -1931,18 +1931,21 @@
y1 = SCALED( point[-2].y );
x2 = SCALED( point[-1].x );
y2 = SCALED( point[-1].y );
- x3 = SCALED( point[ 0].x );
- y3 = SCALED( point[ 0].y );
if ( flipped )
{
SWAP_( x1, y1 );
SWAP_( x2, y2 );
- SWAP_( x3, y3 );
}
if ( point <= limit )
{
+ x3 = SCALED( point[ 0].x );
+ y3 = SCALED( point[ 0].y );
+ if ( flipped )
+ {
+ SWAP_( x3, y3 );
+ }
if ( Cubic_To( RAS_VARS x1, y1, x2, y2, x3, y3 ) )
goto Fail;
continue;
- [ft-devel] [patch] freetype-2.4.1/src/raster/ftraster.c: Decompose_Curve: access past allocated area,
Yuriy Kaminskiy <=