diff options
| author | Akira TAGOH <akira@tagoh.org> | 2016-11-14 20:14:35 +0900 |
|---|---|---|
| committer | Youngbok Shin <youngb.shin@samsung.com> | 2017-10-11 14:35:53 +0900 |
| commit | bc105e0678ecbd7cee304ab2b181dc62cac1575f (patch) | |
| tree | 2bee9b0cb4527f1176506e4d7eb535c7b4a336b5 | |
| parent | 7539f568fddce539ff94bb1f3ee215b980b73c5b (diff) | |
| download | fontconfig-bc105e0678ecbd7cee304ab2b181dc62cac1575f.tar.gz fontconfig-bc105e0678ecbd7cee304ab2b181dc62cac1575f.tar.bz2 fontconfig-bc105e0678ecbd7cee304ab2b181dc62cac1575f.zip | |
Fix FcCacheOffsetsValid()
Validation fails when the FcValueList contains more than font->num.
this logic was wrong because font->num contains a number of the elements
in FcPatternElt but FcValue in FcValueList.
This corrects 7a4a5bd7.
Patch from Tobias Stoeckmann
Change-Id: I4d14746892a0426b7096810bf30128bf69829417
| -rw-r--r-- | src/fccache.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/src/fccache.c b/src/fccache.c index 02ec3013..6f3c68a2 100644 --- a/src/fccache.c +++ b/src/fccache.c @@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache) FcPattern *font = FcFontSetFont (fs, i); FcPatternElt *e; FcValueListPtr l; + char *last_offset; if ((char *) font < base || (char *) font > end - sizeof (FcFontSet) || @@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache) if (e->values != 0 && !FcIsEncodedOffset(e->values)) return FcFalse; - for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l)) - if (l->next != NULL && !FcIsEncodedOffset(l->next)) - break; - if (j < 0) - return FcFalse; + for (j = 0; j < font->num; j++) + { + last_offset = (char *) font + font->elts_offset; + for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l)) + { + if ((char *) l < last_offset || (char *) l > end - sizeof (*l) || + (l->next != NULL && !FcIsEncodedOffset(l->next))) + return FcFalse; + last_offset = (char *) l + 1; + } + } } } |