Fix FcCacheOffsetsValid()

Validation fails when the FcValueList contains more than font->num.
this logic was wrong because font->num contains a number of the elements
in FcPatternElt but FcValue in FcValueList.

This corrects 7a4a5bd7.

Patch from Tobias Stoeckmann
This commit is contained in:
Akira TAGOH 2016-11-14 20:14:35 +09:00
parent 883b5cf48b
commit 0e9b2a1527
1 changed files with 12 additions and 5 deletions

View File

@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
FcPattern *font = FcFontSetFont (fs, i); FcPattern *font = FcFontSetFont (fs, i);
FcPatternElt *e; FcPatternElt *e;
FcValueListPtr l; FcValueListPtr l;
char *last_offset;
if ((char *) font < base || if ((char *) font < base ||
(char *) font > end - sizeof (FcFontSet) || (char *) font > end - sizeof (FcFontSet) ||
@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
if (e->values != 0 && !FcIsEncodedOffset(e->values)) if (e->values != 0 && !FcIsEncodedOffset(e->values))
return FcFalse; return FcFalse;
for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l)) for (j = 0; j < font->num; j++)
if (l->next != NULL && !FcIsEncodedOffset(l->next)) {
break; last_offset = (char *) font + font->elts_offset;
if (j < 0) for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
return FcFalse; {
if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
(l->next != NULL && !FcIsEncodedOffset(l->next)))
return FcFalse;
last_offset = (char *) l + 1;
}
}
} }
} }