-
Show log
Commit
-
Hash : 38272bf8
Author :
Date : 2024-12-16T14:29:36
[ftstroke] Fix invalid pointer assignement to `arc` In `FT_Stroker_ConicTo` and `FT_Stroker_CubicTo` there is a `bez_stack`. `arc` is initialized with `arc = bez_stack` and is never set to point into any different object. The main loop looks like `while ( arc >= bez_stack )` which is depending on a later `arc -= 2` (or `arc -= 3`) to make `arc` point to before `bez_stack`. However, using pointer subtraction to make `arc` point outside the array is undefined behavior, and attempting to use the value in the loop predicate is "very" undefined behavior. (C99 "Additive operators" 6.5.6.8.) This particular undefined behavior was discovered as either hangs or MemorySantizer issues after "[InstCombine] Infer nuw for gep inbounds from base of object" [0]. With this change, clang can infer that `arc` must always point into the `bez_stack` object and therefore cannot be at a "negative index" so the predicate is always true. [0] https://github.com/llvm/llvm-project/commit/e21ab4d16b555c28ded307571d138f594f33e325 * src/base/ftstroke.c (FT_Stroker_ConicTo, FT_Stroker_CubicTo): test loop exit condition (there are no more arcs to process) before decrementing `arc` Fixes: #1307
-
Files
- ftadvanc.c
- ftbase.c
- ftbase.h
- ftbbox.c
- ftbdf.c
- ftbitmap.c
- ftcalc.c
- ftcid.c
- ftcolor.c
- ftdbgmem.c
- ftdebug.c
- fterrors.c
- ftfntfmt.c
- ftfstype.c
- ftgasp.c
- ftgloadr.c
- ftglyph.c
- ftgxval.c
- fthash.c
- ftinit.c
- ftlcdfil.c
- ftmac.c
- ftmm.c
- ftobjs.c
- ftotval.c
- ftoutln.c
- ftpatent.c
- ftpfr.c
- ftpsprop.c
- ftrfork.c
- ftsnames.c
- ftstream.c
- ftstroke.c
- ftsynth.c
- ftsystem.c
- fttrigon.c
- fttype1.c
- ftutil.c
- ftver.rc
- ftwinfnt.c
- md5.c
- md5.h
- rules.mk
