1 files changed, 51 insertions, 0 deletions

diff --git a/contrib/fontconfig/A01-fccache.patch b/contrib/fontconfig/A01-fccache.patch
new file mode 100644
index 000000000..e1d26dac6
--- /dev/null
+++ b/contrib/fontconfig/A01-fccache.patch
@@ -0,0 +1,51 @@
+From 0e9b2a152729bfd457e656a9258a06cbfdac1bae Mon Sep 17 00:00:00 2001
+From: Akira TAGOH <[email protected]>
+Date: Mon, 14 Nov 2016 20:14:35 +0900
+Subject: Fix FcCacheOffsetsValid()
+
+Validation fails when the FcValueList contains more than font->num.
+this logic was wrong because font->num contains a number of the elements
+in FcPatternElt but FcValue in FcValueList.
+
+This corrects 7a4a5bd7.
+
+Patch from Tobias Stoeckmann
+
+diff --git a/src/fccache.c b/src/fccache.c
+index 02ec301..6f3c68a 100644
+--- a/src/fccache.c
++++ b/src/fccache.c
+@@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
+             FcPattern		*font = FcFontSetFont (fs, i);
+             FcPatternElt	*e;
+             FcValueListPtr	 l;
++	    char                *last_offset;
+ 
+             if ((char *) font < base ||
+                 (char *) font > end - sizeof (FcFontSet) ||
+@@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
+             if (e->values != 0 && !FcIsEncodedOffset(e->values))
+                 return FcFalse;
+ 
+-            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
+-                if (l->next != NULL && !FcIsEncodedOffset(l->next))
+-                    break;
+-            if (j < 0)
+-                return FcFalse;
++	    for (j = 0; j < font->num; j++)
++	    {
++		last_offset = (char *) font + font->elts_offset;
++		for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
++		{
++		    if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
++			(l->next != NULL && !FcIsEncodedOffset(l->next)))
++			return FcFalse;
++		    last_offset = (char *) l + 1;
++		}
++	    }
+         }
+     }
+ 
+-- 
+cgit v0.10.2
+