Commit 8ae5ea8c authored by Karl Tomlinson's avatar Karl Tomlinson Committed by Keith Packard

XftFontOpenInfo: Use of uninitialised value of size 8 (bug 11200)

This is due to XftFontInfoFill using the binary representation of the
XftFontInfo to generate fi->hash.

With 64-bit pointers there is padding between .hash and .file in struct
_XftFontInfo.  This padding is not initialized, and the hash uses these
bytes.

This will interfere with finding "a matching previously opened font" in
XftFontOpenInfo, and XftFontInfoEqual, which uses memcmp, will have similar
problems.

This fix makes no assumptions about the sizes and alignment of members of
struct _XftFontInfo by using memset.  (It also makes no assumptions about
what FcPatternGet* does to its output parameter when it returns
FcResultNoMatch.)
parent a782fe3f
......@@ -391,6 +391,13 @@ XftFontInfoFill (Display *dpy, _Xconst FcPattern *pattern, XftFontInfo *fi)
if (!info)
return FcFalse;
/*
* Initialize the whole XftFontInfo so that padding doesn't interfere with
* hash or XftFontInfoEqual().
*/
memset (fi, '\0', sizeof(*fi));
/*
* Find the associated file
*/
......@@ -419,8 +426,6 @@ XftFontInfoFill (Display *dpy, _Xconst FcPattern *pattern, XftFontInfo *fi)
else if (FcPatternGetFTFace (pattern, FC_FT_FACE, 0, &face) == FcResultMatch
&& face)
fi->file = _XftGetFaceFile (face);
else
fi->file = 0;
if (!fi->file)
goto bail0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment