From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.0.6-1.2.fc4 Firefox/1.0.6 Description of problem: The first problem is in pango-1.10.0/modules/hangul/hangul-fc.c In that file, there is an array index that can be incremented by 3 or 1. It allocates more memory when it detects that the next pass is starting with the iterator 1 beyond legal memory. Because the loop can be incremented by 1 sometimes, it can fail the test and then need to write to 3 locations. Example: array index is 7 - which is below the test to allocate memory (8). It may need to then write to locations 7,8,&9. Where 8 & 9 are beyond the array. There was an unused variable, a number of divide by zeros which I did not fix, and 2 memory leaks. Version-Release number of selected component (if applicable): pango-1.10.0 How reproducible: Always Steps to Reproduce: 1. Problem found in code review Additional info: will attach patch that corrects problems
Filed upstream as: http://bugzilla.gnome.org/show_bug.cgi?id=316466 http://bugzilla.gnome.org/show_bug.cgi?id=316467 http://bugzilla.gnome.org/show_bug.cgi?id=316468 http://bugzilla.gnome.org/show_bug.cgi?id=316469