XftFontOpenInfo: Use of uninitialised value of size 8 (bug 11200)

This is due to XftFontInfoFill using the binary representation of the
XftFontInfo to generate fi->hash.

With 64-bit pointers there is padding between .hash and .file in struct
_XftFontInfo.  This padding is not initialized, and the hash uses these
bytes.

This will interfere with finding "a matching previously opened font" in
XftFontOpenInfo, and XftFontInfoEqual, which uses memcmp, will have similar
problems.

This fix makes no assumptions about the sizes and alignment of members of
struct _XftFontInfo by using memset.  (It also makes no assumptions about
what FcPatternGet* does to its output parameter when it returns
FcResultNoMatch.)

1 files changed, 7 insertions, 2 deletions

diff --git a/src/xftfreetype.c b/src/xftfreetype.c
index fc6e74a..3f1f318 100644
--- a/src/xftfreetype.c
+++ b/src/xftfreetype.c
@@ -392,6 +392,13 @@ XftFontInfoFill (Display *dpy, _Xconst FcPattern *pattern, XftFontInfo *fi)
 	return FcFalse;
 
     /*
+     * Initialize the whole XftFontInfo so that padding doesn't interfere with
+     * hash or XftFontInfoEqual().
+     */
+ 
+    memset (fi, '\0', sizeof(*fi));
+
+    /*
      * Find the associated file
      */
     switch (FcPatternGetString (pattern, FC_FILE, 0, &filename)) {
@@ -419,8 +426,6 @@ XftFontInfoFill (Display *dpy, _Xconst FcPattern *pattern, XftFontInfo *fi)
     else if (FcPatternGetFTFace (pattern, FC_FT_FACE, 0, &face) == FcResultMatch
 	     && face)
 	fi->file = _XftGetFaceFile (face);
-    else
-	fi->file = 0;
     if (!fi->file)
         goto bail0;