[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ft-devel] FreeType 2.6.5: Access to uninitialised memory
|
From: |
Peter Klotz |
|
Subject: |
[ft-devel] FreeType 2.6.5: Access to uninitialised memory |
|
Date: |
Wed, 10 Aug 2016 10:38:32 +0200 |
Hello FreeType developers
Valgrind (3.11.0) complained in one of our regression tests after upgrading to
FreeType 2.6.5 (from 2.6.1):
==22793== Conditional jump or move depends on uninitialised value(s)
==22793== at 0x10248FE: gray_hline (ftgrays.c:1361)
==22793== by 0x1024B1B: gray_sweep (ftgrays.c:1445)
==22793== by 0x1024E77: gray_convert_glyph (ftgrays.c:1960)
==22793== by 0x1025304: gray_raster_render (ftgrays.c:2097)
==22793== by 0xFD863E: FT_Outline_Render (ftoutln.c:640)
==22793== by 0xFD86EC: FT_Outline_Get_Bitmap (ftoutln.c:681)
The problem seems to have been introduced by this commit:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/smooth/ftgrays.c?id=32acceff836c2ca40be0034d0efaefad8278fadb
@@ -1429,10 +1429,10 @@ typedef ptrdiff_t FT_PtrDist;
/* see whether we can add this span to the current list */
count = ras.num_gray_spans;
span = ras.gray_spans + count - 1;
- if ( count > 0 &&
- ras.span_y == y &&
- (int)span->x + span->len == (int)x &&
- span->coverage == coverage )
+ if ( span->coverage == coverage &&
+ (TCoord)span->x + span->len == x &&
+ ras.span_y == y &&
+ count > 0 )
The check for "count > 0" is now last which is a problem if count is zero. In
this case "span = ras.gray_spans - 1" which is definitely no valid offset into
the gray_spans array. The access to "span->coverage" in the first if-condition
then triggers the Valgrind warning.
The attached patch fixes the problem by reordering the if conditions and
placing "count > 0" first (like before).
Regards, Peter.
freetype-2.6.5-ftgrays.patch
Description: freetype-2.6.5-ftgrays.patch
- [ft-devel] FreeType 2.6.5: Access to uninitialised memory,
Peter Klotz <=