Fix FcCacheOffsetsValid()
Validation fails when the FcValueList contains more than font->num.
this logic was wrong because font->num contains a number of the elements
in FcPatternElt but FcValue in FcValueList.
This corrects 7a4a5bd7
.
Patch from Tobias Stoeckmann
This commit is contained in:
parent
883b5cf48b
commit
0e9b2a1527
|
@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
|
||||||
FcPattern *font = FcFontSetFont (fs, i);
|
FcPattern *font = FcFontSetFont (fs, i);
|
||||||
FcPatternElt *e;
|
FcPatternElt *e;
|
||||||
FcValueListPtr l;
|
FcValueListPtr l;
|
||||||
|
char *last_offset;
|
||||||
|
|
||||||
if ((char *) font < base ||
|
if ((char *) font < base ||
|
||||||
(char *) font > end - sizeof (FcFontSet) ||
|
(char *) font > end - sizeof (FcFontSet) ||
|
||||||
|
@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
|
||||||
if (e->values != 0 && !FcIsEncodedOffset(e->values))
|
if (e->values != 0 && !FcIsEncodedOffset(e->values))
|
||||||
return FcFalse;
|
return FcFalse;
|
||||||
|
|
||||||
for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
|
for (j = 0; j < font->num; j++)
|
||||||
if (l->next != NULL && !FcIsEncodedOffset(l->next))
|
{
|
||||||
break;
|
last_offset = (char *) font + font->elts_offset;
|
||||||
if (j < 0)
|
for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
|
||||||
return FcFalse;
|
{
|
||||||
|
if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
|
||||||
|
(l->next != NULL && !FcIsEncodedOffset(l->next)))
|
||||||
|
return FcFalse;
|
||||||
|
last_offset = (char *) l + 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue