ref: 2c3e895c745fe417e501195310de973867f0d43e
parent: 6e44d78cc1d89f39e1086441ae4cbb2815d9f067
author: Alexei Podtelezhnikov <[email protected]>
date: Sat Jul 28 18:00:59 EDT 2018
[smooth] Fix Harmony memory management. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9501 * src/smooth/ftgrays.c (ft_smooth_render_generic): Restore buffer after each rendering in case of failure.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-07-28 Alexei Podtelezhnikov <[email protected]>
+
+ [smooth] Fix Harmony memory management.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9501
+
+ * src/smooth/ftgrays.c (ft_smooth_render_generic): Restore buffer
+ after each rendering in case of failure.
+
2018-07-28 Werner Lemberg <[email protected]>
[type1] Avoid segfaults with `FT_Get_PS_Font_Value'.
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -264,18 +264,19 @@
bitmap->buffer += width;
FT_Outline_Translate( outline, sub[0].x - sub[1].x, sub[0].y - sub[1].y );
error = render->raster_render( render->raster, ¶ms );
+ bitmap->buffer -= width;
if ( error )
goto Exit;
- bitmap->buffer += width;
+ bitmap->buffer += 2 * width;
FT_Outline_Translate( outline, sub[1].x - sub[2].x, sub[1].y - sub[2].y );
error = render->raster_render( render->raster, ¶ms );
+ bitmap->buffer -= 2 * width;
if ( error )
goto Exit;
x_shift -= sub[2].x;
y_shift -= sub[2].y;
- bitmap->buffer -= 2 * width;
/* XXX: Rearrange the bytes according to FT_PIXEL_MODE_LCD. */
/* XXX: It is more efficient to render every third byte above. */
@@ -318,18 +319,19 @@
bitmap->buffer += pitch;
FT_Outline_Translate( outline, sub[0].y - sub[1].y, sub[1].x - sub[0].x );
error = render->raster_render( render->raster, ¶ms );
+ bitmap->buffer -= pitch;
if ( error )
goto Exit;
- bitmap->buffer += pitch;
+ bitmap->buffer += 2 * pitch;
FT_Outline_Translate( outline, sub[1].y - sub[2].y, sub[2].x - sub[1].x );
error = render->raster_render( render->raster, ¶ms );
+ bitmap->buffer -= 2 * pitch;
if ( error )
goto Exit;
x_shift -= sub[2].y;
y_shift += sub[2].x;
- bitmap->buffer -= 2 * pitch;
bitmap->pitch /= 3;
bitmap->rows *= 3;