From 6e04db81b9dc5913607bd97e1000d59c6ed0c496 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Thu, 30 Jul 2020 10:06:53 -0400 Subject: layout: Avoid a crash with short strings You can call pango_layout_set_text() with a length that is longer than the string (and there's code in the wild that does that). We try to handle it by only looking at the initial segment of the text, but we are forgetting to set layout->length to the length of that segment, leading us to access beyond the string end later. This fixes #490 --- pango/pango-layout.c | 1 + 1 file changed, 1 insertion(+) diff --git a/pango/pango-layout.c b/pango/pango-layout.c index b07c8487..92d858b2 100644 --- a/pango/pango-layout.c +++ b/pango/pango-layout.c @@ -1173,6 +1173,7 @@ pango_layout_set_text (PangoLayout *layout, g_warning ("Invalid UTF-8 string passed to pango_layout_set_text()"); layout->n_chars = pango_utf8_strlen (layout->text, -1); + layout->length = strlen (layout->text); layout_changed (layout); -- cgit v1.2.1 From c2c9733047a524b794ba11208c758264d266ad20 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Thu, 30 Jul 2020 10:04:58 -0400 Subject: Add a reproducer for a pidgin crash This test is reproducing the crash reported in #490. --- tests/testmisc.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/testmisc.c b/tests/testmisc.c index f5583cab..9f1f24da 100644 --- a/tests/testmisc.c +++ b/tests/testmisc.c @@ -54,6 +54,25 @@ test_itemize_empty_crash (void) g_object_unref (context); } +/* Test that pango_layout_set_text (layout, "short", 200) + * does not lead to a crash. (pidgin does this) + */ +static void +test_short_string_crash (void) +{ + PangoContext *context; + PangoLayout *layout; + int width, height; + + context = pango_font_map_create_context (pango_cairo_font_map_get_default ()); + layout = pango_layout_new (context); + pango_layout_set_text (layout, "short text", 200); + pango_layout_get_pixel_size (layout, &width, &height); + + g_object_unref (layout); + g_object_unref (context); +} + int main (int argc, char *argv[]) { @@ -61,6 +80,7 @@ main (int argc, char *argv[]) g_test_add_func ("/layout/shape-tab-crash", test_shape_tab_crash); g_test_add_func ("/layout/itemize-empty-crash", test_itemize_empty_crash); + g_test_add_func ("/layout/short-string-crash", test_short_string_crash); return g_test_run (); } -- cgit v1.2.1