Ming Zhao
2006-Apr-07 00:55 UTC
[Fontconfig] realloc error in FcObjectToPtrLookup and proposed patch
Hello, I got a realloc error when running gnome-terminal with fontconfig-2.3.94: *** glibc detected *** realloc(): invalid next size: 0x00000000005da780*** I did some debugging and found the implementation of FcObjectToPtrLookup didn''t check user_obj_alloc against l->ntypes properly, which caused the the tail of _FcUserObjectNames being modified unexpectedly. I think "user_obj_alloc < l->ntypes" in fcname.c:222 should be changed to "<=". Also, we can''t assume that the newly allocated pointer by realloc is the same as the older one, so we can''t use "l->types == _FcUserObjectNames" after realloc. Attached is the proposed patch, hoping it would be useful. Best, Ming -------------- next part -------------- A non-text attachment was scrubbed... Name: realloc.patch Type: text/x-patch Size: 845 bytes Desc: not available Url : http://lists.freedesktop.org/archives/fontconfig/attachments/20060407/eb892db9/realloc.bin
Patrick Lam
2006-Apr-11 20:03 UTC
[Fontconfig] realloc error in FcObjectToPtrLookup and proposed patch
Ming Zhao wrote:> Hello, > > I got a realloc error when running gnome-terminal with fontconfig-2.3.94: > *** glibc detected *** realloc(): invalid next size: 0x00000000005da780*** > > I did some debugging and found the implementation of FcObjectToPtrLookup > didn''t check user_obj_alloc against l->ntypes properly, which caused the > the tail of _FcUserObjectNames being modified unexpectedly. I think > "user_obj_alloc < l->ntypes" in fcname.c:222 should be changed to "<=". > > Also, we can''t assume that the newly allocated pointer by realloc is the same > as the older one, so we can''t use "l->types == _FcUserObjectNames" after > realloc. > > Attached is the proposed patch, hoping it would be useful.Thanks. I almost forgot about this patch, since I was travelling at the time. I''ve committed a minor variation on it. pat