diff options
| author | magras <dr.magras@gmail.com> | 2019-02-28 04:56:01 +0300 |
|---|---|---|
| committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2019-03-03 11:18:31 +0100 |
| commit | a8cb8e94547d7e31441d2444e8a196415e3e4c1f (patch) | |
| tree | e21fe7c6c9dd86fe0b6982160f850499fec838db | |
| parent | e85b6b64660214121164ea97fb098eaa4935f7db (diff) | |
| download | st-a8cb8e94547d7e31441d2444e8a196415e3e4c1f.tar.gz st-a8cb8e94547d7e31441d2444e8a196415e3e4c1f.zip | |
fix use after free in font caching algorithm
Current font caching algorithm contains a use after free error. A font
removed from `frc` might be still listed in `wx.specbuf`. It will lead
to a crash inside `XftDrawGlyphFontSpec()`.
Steps to reproduce:
$ st -f 'Misc Tamsyn:scalable=false'
$ curl https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-demo.txt
Of course, result depends on fonts installed on a system and fontconfig.
In my case, I'm getting consistent segfaults with different fonts.
I replaced a fixed array with a simple unbounded buffer with a constant
growth rate. Cache starts with a capacity of 0, gets increments by 16,
and never shrinks. On my machine after `cat UTF-8-demo.txt` buffer
reaches a capacity of 192. During casual use capacity stays at 0.
| -rw-r--r-- | x.c | 15 |
1 files changed, 9 insertions, 6 deletions
| @@ -226,8 +226,9 @@ typedef struct { | |||
| 226 | } Fontcache; | 226 | } Fontcache; |
| 227 | 227 | ||
| 228 | /* Fontcache is an array now. A new font will be appended to the array. */ | 228 | /* Fontcache is an array now. A new font will be appended to the array. */ |
| 229 | static Fontcache frc[16]; | 229 | static Fontcache *frc = NULL; |
| 230 | static int frclen = 0; | 230 | static int frclen = 0; |
| 231 | static int frccap = 0; | ||
| 231 | static char *usedfont = NULL; | 232 | static char *usedfont = NULL; |
| 232 | static double usedfontsize = 0; | 233 | static double usedfontsize = 0; |
| 233 | static double defaultfontsize = 0; | 234 | static double defaultfontsize = 0; |
| @@ -1244,12 +1245,14 @@ xmakeglyphfontspecs(XftGlyphFontSpec *specs, const Glyph *glyphs, int len, int x | |||
| 1244 | fcpattern, &fcres); | 1245 | fcpattern, &fcres); |
| 1245 | 1246 | ||
| 1246 | /* | 1247 | /* |
| 1247 | * Overwrite or create the new cache entry. | 1248 | * Allocate memory for the new cache entry. |
| 1248 | */ | 1249 | */ |
| 1249 | if (frclen >= LEN(frc)) { | 1250 | if (frclen >= frccap) { |
| 1250 | frclen = LEN(frc) - 1; | 1251 | frccap += 16; |
| 1251 | XftFontClose(xw.dpy, frc[frclen].font); | 1252 | if (!frc) |
| 1252 | frc[frclen].unicodep = 0; | 1253 | frc = xmalloc(frccap * sizeof(Fontcache)); |
| 1254 | else | ||
| 1255 | frc = xrealloc(frc, frccap * sizeof(Fontcache)); | ||
| 1253 | } | 1256 | } |
| 1254 | 1257 | ||
| 1255 | frc[frclen].font = XftFontOpenPattern(xw.dpy, | 1258 | frc[frclen].font = XftFontOpenPattern(xw.dpy, |