[PATCH] fix crashes on malformed fonts.cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, 

This one fixes a memory overrun when a fonts.cache file is slightly malformed. 
other places probably need similiar fixes. 

Thanks,
Dirk

2006-02-01  Dirk Mueller  <dmueller@xxxxxxx>

	* fcfs.c (FcFontSetUnserialize): Make sure there is no
	integer overflow when reading the cache file.

Index: src/fcfs.c
===================================================================
RCS file: /cvs/fontconfig/fontconfig/src/fcfs.c,v
retrieving revision 1.4.4.8
diff -u -3 -d -p -r1.4.4.8 fcfs.c
--- src/fcfs.c	25 Nov 2005 15:50:33 -0000	1.4.4.8
+++ src/fcfs.c	1 Feb 2006 19:04:23 -0000
@@ -159,23 +159,23 @@ FcFontSetUnserialize(FcCache * metadata,
     nfont = *(int *)block_ptr;
     block_ptr = (int *)block_ptr + 1;
 
-    if (s->sfont < s->nfont + nfont)
-    {
-	int sfont = s->nfont + nfont;
-	FcPattern ** pp;
-	pp = realloc (s->fonts, sfont * sizeof (FcPattern));
-	if (!pp)
-	    return FcFalse;
-	s->fonts = pp;
-	s->sfont = sfont;
-    }
-    n = s->nfont;
-    s->nfont += nfont;
-
-    if (nfont > 0)
+    if (nfont > 0 && s->nfont < s->nfont + nfont)
     {
 	FcPattern * p = (FcPattern *)block_ptr;
 
+	if (s->sfont < s->nfont + nfont)
+	{
+	    int sfont = s->nfont + nfont;
+	    FcPattern ** pp;
+	    pp = realloc (s->fonts, sfont * sizeof (FcPattern));
+	    if (!pp)
+		return FcFalse;
+	    s->fonts = pp;
+	    s->sfont = sfont;
+	}
+	n = s->nfont;
+	s->nfont += nfont;
+
         /* The following line is a bit counterintuitive.  The usual
          * convention is that FcPatternUnserialize is responsible for
          * aligning the FcPattern.  However, the FontSet also stores
@@ -187,7 +187,7 @@ FcFontSetUnserialize(FcCache * metadata,
 
 	block_ptr = FcPatternUnserialize (metadata, block_ptr);
 	block_ptr = FcObjectUnserialize (metadata, block_ptr);
+        return block_ptr != 0;
     }
-
-    return block_ptr != 0;
+    return FcFalse;
 }
_______________________________________________
Fontconfig mailing list
Fontconfig@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/fontconfig

[Index of Archives]     [Fedora Fonts]     [Fedora Users]     [Fedora Cloud]     [Kernel]     [Fedora Packaging]     [Fedora Desktop]     [PAM]     [Gimp Graphics Editor]     [Yosemite News]

  Powered by Linux