From 2c3e895c745fe417e501195310de973867f0d43e Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Sat, 28 Jul 2018 22:00:59 -0400 Subject: [PATCH] [smooth] Fix Harmony memory management. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9501 * src/smooth/ftgrays.c (ft_smooth_render_generic): Restore buffer after each rendering in case of failure. --- ChangeLog | 11 +++++++++++ src/smooth/ftsmooth.c | 10 ++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index ab5102c5b..f814bf4d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2018-07-28 Alexei Podtelezhnikov + + [smooth] Fix Harmony memory management. + + Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9501 + + * src/smooth/ftgrays.c (ft_smooth_render_generic): Restore buffer + after each rendering in case of failure. + 2018-07-28 Werner Lemberg [type1] Avoid segfaults with `FT_Get_PS_Font_Value'. diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c index 02b0c3d87..1007f39a6 100644 --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -264,18 +264,19 @@ bitmap->buffer += width; FT_Outline_Translate( outline, sub[0].x - sub[1].x, sub[0].y - sub[1].y ); error = render->raster_render( render->raster, ¶ms ); + bitmap->buffer -= width; if ( error ) goto Exit; - bitmap->buffer += width; + bitmap->buffer += 2 * width; FT_Outline_Translate( outline, sub[1].x - sub[2].x, sub[1].y - sub[2].y ); error = render->raster_render( render->raster, ¶ms ); + bitmap->buffer -= 2 * width; if ( error ) goto Exit; x_shift -= sub[2].x; y_shift -= sub[2].y; - bitmap->buffer -= 2 * width; /* XXX: Rearrange the bytes according to FT_PIXEL_MODE_LCD. */ /* XXX: It is more efficient to render every third byte above. */ @@ -318,18 +319,19 @@ bitmap->buffer += pitch; FT_Outline_Translate( outline, sub[0].y - sub[1].y, sub[1].x - sub[0].x ); error = render->raster_render( render->raster, ¶ms ); + bitmap->buffer -= pitch; if ( error ) goto Exit; - bitmap->buffer += pitch; + bitmap->buffer += 2 * pitch; FT_Outline_Translate( outline, sub[1].y - sub[2].y, sub[2].x - sub[1].x ); error = render->raster_render( render->raster, ¶ms ); + bitmap->buffer -= 2 * pitch; if ( error ) goto Exit; x_shift -= sub[2].y; y_shift += sub[2].x; - bitmap->buffer -= 2 * pitch; bitmap->pitch /= 3; bitmap->rows *= 3;