diff --git a/ChangeLog b/ChangeLog index 4f4e2eef5..1d59ec974 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2017-12-08 Werner Lemberg + + Fix access to uninitalized memory (#52613). + + Also reported as + + https://bugs.chromium.org/p/chromium/issues/detail?id=791317 + + * src/base/ftbitmap.c (ft_bitmap_assure_buffer): If increasing the + bitmap size needs a larger bitmap buffer, assure that the new memory + areas are initialized also. + 2017-12-08 Werner Lemberg Fix `make setup dos' (#52622). diff --git a/src/base/ftbitmap.c b/src/base/ftbitmap.c index 2a2a9dbfb..f7bd2705c 100644 --- a/src/base/ftbitmap.c +++ b/src/base/ftbitmap.c @@ -235,21 +235,48 @@ { FT_UInt len = ( width * bpp + 7 ) >> 3; + unsigned char* in = bitmap->buffer; + unsigned char* out = buffer; - for ( i = 0; i < bitmap->rows; i++ ) - FT_MEM_COPY( buffer + (FT_UInt)new_pitch * ( ypixels + i ), - bitmap->buffer + (FT_UInt)pitch * i, - len ); + unsigned char* limit = bitmap->buffer + pitch * bitmap->rows; + int delta = new_pitch - pitch; + + + FT_MEM_ZERO( out, new_pitch * ypixels ); + out += new_pitch * ypixels; + + while ( in < limit ) + { + FT_MEM_COPY( out, in, len ); + in += pitch; + out += pitch; + + FT_MEM_ZERO( out, delta ); + out += delta; + } } else { FT_UInt len = ( width * bpp + 7 ) >> 3; + unsigned char* in = bitmap->buffer; + unsigned char* out = buffer; + + unsigned char* limit = bitmap->buffer + pitch * bitmap->rows; + int delta = new_pitch - pitch; + + + while ( in < limit ) + { + FT_MEM_COPY( out, in, len ); + in += pitch; + out += pitch; + + FT_MEM_ZERO( out, delta ); + out += delta; + } - for ( i = 0; i < bitmap->rows; i++ ) - FT_MEM_COPY( buffer + (FT_UInt)new_pitch * i, - bitmap->buffer + (FT_UInt)pitch * i, - len ); + FT_MEM_ZERO( out, new_pitch * ypixels ); } FT_FREE( bitmap->buffer );