[PATCH:libXft 2/2] XftGlyphFontSpecCore: check to make sure glyphs are in range

Alan Coopersmith alan.coopersmith at oracle.com
Wed Feb 2 22:22:18 PST 2011


From: Derek Wang <Derek.Wang at sun.com>

This fixes a crash reported when selecting "View Page Source" in Mozilla
on Solaris 10, due to invalid parameters being given to XPutImage.

http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6261221

Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
---

I can't claim to understand this patch, but it's been shipping in Solaris
libXft for 5 years, so it's a bit overdue to attempt pushing it upstream.
(Unfortunately, that's also almost how long it's been since the original
 author left Sun.)

Given the timeframe & hardware on which it was reported, I suspect it
affects the libXft fallback path to use libX11 when the Render extension
is not available, but have not confirmed that.

 src/xftcore.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/src/xftcore.c b/src/xftcore.c
index 3f87109..a0103cf 100644
--- a/src/xftcore.c
+++ b/src/xftcore.c
@@ -1253,7 +1253,17 @@ XftGlyphFontSpecCore (XftDraw			*draw,
 	if (i)
 	{
 	    if (g_x1 < x1)
+	    {
+		if (g_x1 < 0)
+		{
+		    /* do nothing if the given glyphs are out of range */
+		    short t = glyphs[i-1].font->max_advance_width
+			+ glyphs[i-1].x;
+		    if (t < 0 && glyphs[i-1].x > 0)
+			goto bail1;
+		}
 		x1 = g_x1;
+	    }
 	    if (g_y1 < y1)
 		y1 = g_y1;
 	    if (g_x2 > x2)
-- 
1.7.3.2



More information about the xorg-devel mailing list