Fix FcCacheOffsetsValid()

Validation fails when the FcValueList contains more than font->num.
this logic was wrong because font->num contains a number of the elements
in FcPatternElt but FcValue in FcValueList.

This corrects 7a4a5bd7.

Patch from Tobias Stoeckmann

Change-Id: I4d14746892a0426b7096810bf30128bf69829417

diff --git a/src/fccache.c b/src/fccache.c
index 02ec301..6f3c68a 100644 (file)
--- a/src/fccache.c
+++ b/src/fccache.c
@@ -640,6 +640,7 @@ FcCacheOffsetsValid (FcCache *cache)
             FcPattern          *font = FcFontSetFont (fs, i);
             FcPatternElt       *e;
             FcValueListPtr      l;
+           char                *last_offset;
 
             if ((char *) font < base ||
                 (char *) font > end - sizeof (FcFontSet) ||
@@ -653,11 +654,17 @@ FcCacheOffsetsValid (FcCache *cache)
             if (e->values != 0 && !FcIsEncodedOffset(e->values))
                 return FcFalse;
 
-            for (j = font->num, l = FcPatternEltValues(e); j >= 0 && l; j--, l = FcValueListNext(l))
-                if (l->next != NULL && !FcIsEncodedOffset(l->next))
-                    break;
-            if (j < 0)
-                return FcFalse;
+           for (j = 0; j < font->num; j++)
+           {
+               last_offset = (char *) font + font->elts_offset;
+               for (l = FcPatternEltValues(&e[j]); l; l = FcValueListNext(l))
+               {
+                   if ((char *) l < last_offset || (char *) l > end - sizeof (*l) ||
+                       (l->next != NULL && !FcIsEncodedOffset(l->next)))
+                       return FcFalse;
+                   last_offset = (char *) l + 1;
+               }
+           }
         }
     }