freetype-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Git][freetype/freetype][master] [ftstroke] Fix invalid pointer assignem

From: Ben Wagner (@bungeman)
Subject: [Git][freetype/freetype][master] [ftstroke] Fix invalid pointer assignement to `arc`
Date: Mon, 16 Dec 2024 19:57:51 +0000

Ben Wagner pushed to branch master at FreeType / FreeType

Commits:

  • 38272bf8
    by Ben Wagner at 2024-12-16T14:39:10-05:00 
    [ftstroke] Fix invalid pointer assignement to `arc`

In `FT_Stroker_ConicTo` and `FT_Stroker_CubicTo` there is a `bez_stack`.
`arc` is initialized with `arc = bez_stack` and is never set to point
into any different object. The main loop looks like `while ( arc >=
bez_stack )` which is depending on a later `arc -= 2` (or `arc -= 3`) to
make `arc` point to before `bez_stack`. However, using pointer
subtraction to make `arc` point outside the array is undefined behavior,
and attempting to use the value in the loop predicate is "very"
undefined behavior. (C99 "Additive operators" 6.5.6.8.)

This particular undefined behavior was discovered as either hangs or
MemorySantizer issues after "[InstCombine] Infer nuw for gep inbounds
from base of object" [0]. With this change, clang can infer that `arc`
must always point into the `bez_stack` object and therefore cannot be at
a "negative index" so the predicate is always true.

[0] https://github.com/llvm/llvm-project/commit/e21ab4d16b555c28ded307571d138f594f33e325

* src/base/ftstroke.c (FT_Stroker_ConicTo, FT_Stroker_CubicTo): test
loop exit condition (there are no more arcs to process) before
decrementing `arc`

Fixes: #1307

1 changed file:

Changes:

  • src/base/ftstroke.c
    ... ... @@ -1371,7 +1371,7 @@
    1371 1371 
         arc[1] = *control;
    1372 1372 
         arc[2] = stroker->center;
    1373 1373
    1374 
    -    while ( arc >= bez_stack )
    1374 
    +    do
    1375 1375 
         {
    1376 1376 
           FT_Angle  angle_in, angle_out;
    1377 1377
    ... ... @@ -1524,10 +1524,12 @@
    1524 1524 
             }
    1525 1525 
           }
    1526 1526
    1527 
    -      arc -= 2;
    1528 
    -
    1529 1527 
           stroker->angle_in = angle_out;
    1530 
    -    }
    1528 
    +
    1529 
    +      if ( arc == bez_stack )
    1530 
    +        break;
    1531 
    +      arc -= 2;
    1532 
    +    } while ( 1 );
    1531 1533
    1532 1534 
         stroker->center      = *to;
    1533 1535 
         stroker->line_length = 0;
    ... ... @@ -1577,7 +1579,7 @@
    1577 1579 
         arc[2] = *control1;
    1578 1580 
         arc[3] = stroker->center;
    1579 1581
    1580 
    -    while ( arc >= bez_stack )
    1582 
    +    do
    1581 1583 
         {
    1582 1584 
           FT_Angle  angle_in, angle_mid, angle_out;
    1583 1585
    ... ... @@ -1741,10 +1743,12 @@
    1741 1743 
             }
    1742 1744 
           }
    1743 1745
    1744 
    -      arc -= 3;
    1745 
    -
    1746 1746 
           stroker->angle_in = angle_out;
    1747 
    -    }
    1747 
    +
    1748 
    +      if ( arc == bez_stack )
    1749 
    +        break;
    1750 
    +      arc -= 3;
    1751 
    +    } while ( 1 );
    1748 1752
    1749 1753 
         stroker->center      = *to;
    1750 1754 
         stroker->line_length = 0;


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.freedesktop.org. Manage all notifications · Help

    reply via email to
    [Prev in Thread] Current Thread [Next in Thread]