Re: [Fonts] A serious problem about freetype module

2003-02-11 Thread Chisato Yamauchi 
 The calculation of bpr looks a little unusual to me, but I don't know
 how all the parameters are used.
 
 I'll commit your patch now since it does help prevent a crash.

  Thanks.

  I confirmed that this buffer overflow occurs memcpy() in 
ftfuncs.c:


if(dx == 0  dy == 0  bpr == bitmap-pitch) {
memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch);
} else if(dx == 0) {


  'bitmap-rows * bitmap-pitch' sometimes exceeds 'ht*bpr' 
when displaying kochi-mincho.ttf, so X crashes.

  The following is a patch for improving safety.  Although 
not 'ht+2' but 'ht' is used, the crash does not occur.


Chisato Yamauchi


*** xc/lib/font/FreeType/ftfuncs.c._orig_   2003-02-09 21:02:43.0 +0900
--- xc/lib/font/FreeType/ftfuncs.c  2003-02-11 17:30:35.0 +0900
***
*** 600,627 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc((ht+2) * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, (ht+2) * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {
! memcpy(raster, bitmap-buffer, bitmap-rows * bitmap-pitch);
  } else if(dx == 0) {
! for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++)
! memcpy(raster + (i + dy) * bpr,
!bitmap-buffer + i * bitmap-pitch,
!bitmap-pitch);
  } else {
  for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++) {
  for(j = MAX(0, -dx); j  bitmap-width  j + dx  wd; j++) {
  int set;
  set = (bitmap-buffer[i * bitmap-pitch + j / 8] 
 1  (7 - j % 8));
! if(set)
! raster[(i + dy) * bpr + (j + dx) / 8] |=
! 1  (7 - (j + dx) % 8);
  }
  }
  }
--- 600,643 
  bpr = (((wd + (instance-bmfmt.glyph3) - 1)  3)  
 -instance-bmfmt.glyph);
  if(tgp) {
! raster = (char*)xalloc(ht * bpr);
  if(raster == NULL) 
  return AllocError;
! memset(raster, 0, ht * bpr);
  }
  
  if(dx == 0  dy == 0  bpr == bitmap-pitch) {
!   size_t cpy_size=bitmap-rows * bitmap-pitch;
!   if( ht*bpr  cpy_size ) cpy_size=ht*bpr;
! memcpy(raster, bitmap-buffer, cpy_size);
  } else if(dx == 0) {
! for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++){
!   int cpy_begin=(i + dy) * bpr;
!   size_t cpy_size=bitmap-pitch;
!   if( cpy_begin  ht*bpr ){
!   if( ht*bpr  cpy_begin+cpy_size ){
!   cpy_size = ht*bpr-cpy_begin;
!   }
!   memcpy(raster + cpy_begin,
!  bitmap-buffer + i * bitmap-pitch,
!  cpy_size);
!   }
!   }
  } else {
  for(i = MAX(0, -dy); i  bitmap-rows  i + dy  ht; i++) {
  for(j = MAX(0, -dx); j  bitmap-width  j + dx  wd; j++) {
  int set;
  set = (bitmap-buffer[i * bitmap-pitch + j / 8] 
 1  (7 - j % 8));
! if(set){
!   int target = (i + dy) * bpr + (j + dx) / 8;
!   if( target  ht*bpr ){
!   raster[target] |= 1  (7 - (j + dx) % 8);
!   }
!   else{
!   break;
!   }
!   }
  }
  }
  }
___
Fonts mailing list
[EMAIL PROTECTED]
http://XFree86.Org/mailman/listinfo/fonts

[Fonts] Re: A serious problem about freetype module

2003-02-11 Thread Mike FABIAN 
Chisato Yamauchi [EMAIL PROTECTED] $B$5$s$O=q$-$^$7$?(B:
(B
(B It's strange, but I can't reproduce the crash, although I your
(B fix isn't yet included in the XFree86-4.2.99.901_CVS_20030205
(B I am currently running 
(B 
(Bxfd -fn -kochi-mincho-medium-r-normal--50-0-0-0-c-0-jisx0208.1983-0
(B 
(B doesn't crash when I use only the freetype module and not the xtt
(B module.
(B
(B   There are few glyphs of kochi-mincho.ttf leading to crash,
(B so we may not reproduce the crash with xfd.  I confirmed the
(B crash using xfd with this XFLD:
(B
(B   -kochi-mincho-medium-r-normal--24-0-0-0-c-0-jisx0208.1983-0 .
(B
(B   Did you try xfontsel?
(B
(BYes, but it didn't crash either.
(B
(BNow I can't reproduce the crash anymore anyway because I am running
(Byour fixed version already:
(B
(Bcvs log ftfuncs.c
(B[...]
(B
(Brevision 1.26
(Bdate: 2003/02/09 02:44:42;  author: dawes;  state: Exp;  lines: +3 -3
(B 864. Fix an X server crash with the "freetype" module when displaying
(B  kochi-mincho.ttf at a size of 18 pixels or higher (Chisato Yamauchi).
(B
(B
(B-- 
(BMike Fabian   [EMAIL PROTECTED]   http://www.suse.de/~mfabian
$B?gL2ITB-$O;E;v$NE($@!#(B
(B___
(BFonts mailing list
([EMAIL PROTECTED]
(Bhttp://XFree86.Org/mailman/listinfo/fonts