Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixed bug 2749 - Invalid memory read & write by TTF_RenderUTF8* funct…
…ions with specific input Ignacio R. Morelle Under certain circumstances, the TTF_RenderUTF8* function family (also used by their TTF_RenderUNICODE* and TTF_RenderText* counterparts in SDL_ttf 2.0.12), may read and write to memory preceding an allocated pixmap block, potentially corrupting other structures and causing execution to crash later at a random point, especially during SDL invocations -- either by tripping a libc sanity check ("free(): invalid size" aborts, etc.), or causing a plain segmentation fault. The affected (base) functions I could identify from runtime testing with valgrind's memcheck tool are: * TTF_RenderUTF8_Blended * TTF_RenderUTF8_Shaded * TTF_RenderUTF8_Solid From a cursory glance at the code, I suspect TTF_RenderUTF8_Blended_Wrapped is affected as well since it uses the same pattern for copying the glyph from FreeType into the target SDL_Surface's pixmap. The problematic pattern in question: SDL_Surface *textbuf; c_glyph *glyph; int offset; Uint32 *dst_check; /* glyph->minx may be negative and less than -offset below! */ Uint32 *dst = (Uint32*) textbuf->pixels + offset + glyph->minx /* (dst < dst_check) is verified later, but (textbuf->pixels >= dst) isn't */ The circumstances for triggering the fault are, unfortunately, very specific: * Using the DejaVu Sans font at size 16 to render... * A string consisting of an ASCII space followed by a Unicode combining character (U+0361 COMBINING DOUBLE INVERTED BREVE in my tests)
- Loading branch information
Showing
1 changed file
with
36 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters