From 71b14d645f524637579d87ea99720c123d728e1f Mon Sep 17 00:00:00 2001
From: Akira TAGOH <akira@tagoh.org>
Date: Wed, 22 Feb 2012 16:30:05 +0900
Subject: [PATCH] Bug 46169 - Pointer error in FcConfigGlobMatch

Fix possibly accessing the invalid memory and a crash in the worst case
when the glob string is longer than the string.
---
 src/fccfg.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/fccfg.c b/src/fccfg.c
index 09c5991..9395f74 100644
--- a/src/fccfg.c
+++ b/src/fccfg.c
@@ -2023,7 +2023,15 @@ FcConfigGlobMatch (const FcChar8    *glob,
 		return FcTrue;
 	    /* short circuit another common case */
 	    if (strchr ((char *) glob, '*') == 0)
-		string += strlen ((char *) string) - strlen ((char *) glob);
+	    {
+		size_t l1, l2;
+
+		l1 = strlen ((char *) string);
+		l2 = strlen ((char *) glob);
+		if (l1 < l2)
+		    return FcFalse;
+		string += (l1 - l2);
+	    }
 	    while (*string)
 	    {
 		if (FcConfigGlobMatch (glob, string))