[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freetype2] master bad92be: [bdf] Fix use of uninitialized value.
From: |
Werner Lemberg |
Subject: |
[freetype2] master bad92be: [bdf] Fix use of uninitialized value. |
Date: |
Sat, 11 Dec 2021 02:03:01 -0500 (EST) |
branch: master
commit bad92be9270c8952ca5367e6e1d48bc4d26d4fa1
Author: Ben Wagner <bungeman@chromium.org>
Commit: Ben Wagner <bungeman@chromium.org>
[bdf] Fix use of uninitialized value.
In _bdf_readstream if the data contained no newline then the buffer
would continue to grow and uninitialized data read until either the
uninitialized data contained a newline or the buffer reached its
maxiumum size. The assumption was that the line was always too long and
the buffer had been filled, however this case can also happen when there
is not enough data to fill the buffer.
Correct this by properly setting the cursor to the end of the available
data, which may be different from the end of the buffer. This may still
result in one extra allocation, but only on malformed fonts.
* src/bdf/bdflib.c (_bfd_readstream): Correctly update cursor. Remove
unread set of `avail`.
Bug:
https://lists.nongnu.org/archive/html/freetype-devel/2021-12/msg00001.html
---
src/bdf/bdflib.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index b65c8a2..e317bdd 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -613,7 +613,7 @@
if ( FT_QREALLOC( buf, buf_size, new_size ) )
goto Exit;
- cursor = (ptrdiff_t)buf_size;
+ cursor = avail;
buf_size = new_size;
}
else
@@ -623,7 +623,6 @@
FT_MEM_MOVE( buf, buf + start, bytes );
cursor = bytes;
- avail -= bytes;
start = 0;
}
refill = 1;
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [freetype2] master bad92be: [bdf] Fix use of uninitialized value.,
Werner Lemberg <=