diff options
| author | Behdad Esfahbod <behdad@behdad.org> | 2011-02-17 11:19:48 -0500 |
|---|---|---|
| committer | Behdad Esfahbod <behdad@behdad.org> | 2011-02-17 11:19:48 -0500 |
| commit | 4e6248d76f55c6184f28afe614d7d76b6fa3d455 (patch) | |
| tree | e86de67eac1e45b1f67809c38ac15f65306cce04 | |
| parent | 12de1ecf9ab9c925e7021288b10175af74007e94 (diff) | |
| download | pango-4e6248d76f55c6184f28afe614d7d76b6fa3d455.tar.gz | |
Bug 639882 - Heap corruption in font parsing with FreeType2 backend
| -rw-r--r-- | pango/pangoft2-render.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/pango/pangoft2-render.c b/pango/pangoft2-render.c index bd3b7d40..42923f49 100644 --- a/pango/pangoft2-render.c +++ b/pango/pangoft2-render.c @@ -121,9 +121,14 @@ pango_ft2_font_render_box_glyph (int width, box->bitmap.width = width; box->bitmap.rows = height; - box->bitmap.pitch = height; + box->bitmap.pitch = width; - box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch); + box->bitmap.buffer = g_malloc0_n (box->bitmap.rows, box->bitmap.pitch); + + if (G_UNLIKELY (!box->bitmap.buffer)) { + g_slice_free (PangoFT2RenderedGlyph, box); + return NULL; + } /* draw the box */ for (j = 0; j < line_width; j++) @@ -226,6 +231,11 @@ pango_ft2_font_render_glyph (PangoFont *font, rendered->bitmap_left = face->glyph->bitmap_left; rendered->bitmap_top = face->glyph->bitmap_top; + if (G_UNLIKELY (!rendered->bitmap.buffer)) { + g_slice_free (PangoFT2RenderedGlyph, rendered); + return NULL; + } + return rendered; } else @@ -276,6 +286,8 @@ pango_ft2_renderer_draw_glyph (PangoRenderer *renderer, if (rendered_glyph == NULL) { rendered_glyph = pango_ft2_font_render_glyph (font, glyph); + if (rendered_glyph == NULL) + return; add_glyph_to_cache = TRUE; } |