Fixed bug 2749 - Invalid memory read & write by TTF_RenderUTF8* functions with specific input
Ignacio R. Morelle
Under certain circumstances, the TTF_RenderUTF8* function family (also used by their TTF_RenderUNICODE* and TTF_RenderText* counterparts in SDL_ttf 2.0.12), may read and write to memory preceding an allocated pixmap block, potentially corrupting other structures and causing execution to crash later at a random point, especially during SDL invocations -- either by tripping a libc sanity check ("free(): invalid size" aborts, etc.), or causing a plain segmentation fault.
The affected (base) functions I could identify from runtime testing with valgrind's memcheck tool are:
* TTF_RenderUTF8_Blended
* TTF_RenderUTF8_Shaded
* TTF_RenderUTF8_Solid
From a cursory glance at the code, I suspect TTF_RenderUTF8_Blended_Wrapped is affected as well since it uses the same pattern for copying the glyph from FreeType into the target SDL_Surface's pixmap.
The problematic pattern in question:
SDL_Surface *textbuf;
c_glyph *glyph;
int offset;
Uint32 *dst_check;
/* glyph->minx may be negative and less than -offset below! */
Uint32 *dst = (Uint32*) textbuf->pixels + offset + glyph->minx
/* (dst < dst_check) is verified later, but (textbuf->pixels >= dst) isn't */
The circumstances for triggering the fault are, unfortunately, very specific:
* Using the DejaVu Sans font at size 16 to render...
* A string consisting of an ASCII space followed by a Unicode combining character (U+0361 COMBINING DOUBLE INVERTED BREVE in my tests)