Fix access to uninitalized memory (#52613).

Also reported as https://bugs.chromium.org/p/chromium/issues/detail?id=791317 * src/base/ftbitmap.c (ft_bitmap_assure_buffer): If increasing the bitmap size needs a larger bitmap buffer, assure that the new memory areas are initialized also.
2017-12-08 09:54:36 +01:00 · 2017-12-08 09:54:36 +01:00 · e1090c608b
parent 99df4919fd
commit e1090c608b
2 changed files with 47 additions and 8 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2017-12-08  Werner Lemberg  <wl@gnu.org>
+
+	Fix access to uninitalized memory (#52613).
+
+	Also reported as
+
+	  https://bugs.chromium.org/p/chromium/issues/detail?id=791317
+
+	* src/base/ftbitmap.c (ft_bitmap_assure_buffer): If increasing the
+	bitmap size needs a larger bitmap buffer, assure that the new memory
+	areas are initialized also.
+
 2017-12-08  Werner Lemberg  <wl@gnu.org>

 	Fix `make setup dos' (#52622).
--- a/src/base/ftbitmap.c
+++ b/src/base/ftbitmap.c
@ -235,21 +235,48 @@
    {
      FT_UInt  len = ( width * bpp + 7 ) >> 3;

+      unsigned char*  in  = bitmap->buffer;
+      unsigned char*  out = buffer;

-      for ( i = 0; i < bitmap->rows; i++ )
-        FT_MEM_COPY( buffer + (FT_UInt)new_pitch * ( ypixels + i ),
-                     bitmap->buffer + (FT_UInt)pitch * i,
-                     len );
+      unsigned char*  limit = bitmap->buffer + pitch * bitmap->rows;
+      int             delta = new_pitch - pitch;
+
+
+      FT_MEM_ZERO( out, new_pitch * ypixels );
+      out += new_pitch * ypixels;
+
+      while ( in < limit )
+      {
+        FT_MEM_COPY( out, in, len );
+        in  += pitch;
+        out += pitch;
+
+        FT_MEM_ZERO( out, delta );
+        out += delta;
+      }
    }
    else
    {
      FT_UInt  len = ( width * bpp + 7 ) >> 3;

+      unsigned char*  in  = bitmap->buffer;
+      unsigned char*  out = buffer;

-      for ( i = 0; i < bitmap->rows; i++ )
-        FT_MEM_COPY( buffer + (FT_UInt)new_pitch * i,
-                     bitmap->buffer + (FT_UInt)pitch * i,
-                     len );
+      unsigned char*  limit = bitmap->buffer + pitch * bitmap->rows;
+      int             delta = new_pitch - pitch;
+
+
+      while ( in < limit )
+      {
+        FT_MEM_COPY( out, in, len );
+        in  += pitch;
+        out += pitch;
+
+        FT_MEM_ZERO( out, delta );
+        out += delta;
+      }
+
+      FT_MEM_ZERO( out, new_pitch * ypixels );
    }

    FT_FREE( bitmap->buffer );