fix: cast overflow with large font sizes in Pango plugin

When using an abnormally large font size, computing the Pango units for the size
would overflow. This resulted in an assertion failure in Pango when seeing a
negative size value. This issue was found by Google Autofuzz project. This
fixes #1314.

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 930d1f8960f00d69b26de07dddce3550ff393569..f01e9fe5cd4fba273bdf0ca3c1ee523bef214fd6 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Escaped backslashes are not correctly handled when producing xdot with dot #165
 - heap-over-flow(off-by-null) in lib/common/shapes.c #1700
 - Windows MSBuild executables have the wrong version #1745
+- Cast Overflow at pango_textlayout #1314
 
 ## [2.44.1] - 2020-06-29
 

diff --git a/plugin/pango/gvtextlayout_pango.c b/plugin/pango/gvtextlayout_pango.c
index 2c93955bec59c42aec0c8e7016d564249e70511c..fdb0f024ce7e639c5141efb0ccf7a828678a113e 100644 (file)
--- a/plugin/pango/gvtextlayout_pango.c
+++ b/plugin/pango/gvtextlayout_pango.c
@@ -97,6 +97,12 @@ static boolean pango_textlayout(textspan_t * span, char **fontpath)
     }
 
     if (!fontname || strcmp(fontname, span->font->name) != 0 || fontsize != span->font->size) {
+
+       /* check if the conversion to Pango units below will overflow */
+       if ((double)(G_MAXINT / PANGO_SCALE) < span->font->size) {
+           return FALSE;
+       }
+
        fontname = span->font->name;
        fontsize = span->font->size;
        pango_font_description_free (desc);

diff --git a/rtest/1314.dot b/rtest/1314.dot
new file mode 100644 (file)
index 0000000..2affaa4
--- /dev/null
+++ b/rtest/1314.dot
@@ -0,0 +1,3 @@
+digraph {
+  s [   fontsize = "1836031967s8"]
+n0}

diff --git a/rtest/test_regression.py b/rtest/test_regression.py
index dd9876baf8bf8c8b550033d6376f9b21cc500ebc..4759972a08231dfaf1cedf3da1a49e60eda77d5e 100644 (file)
--- a/rtest/test_regression.py
+++ b/rtest/test_regression.py
@@ -111,6 +111,25 @@ def test_165_3():
     assert any(r'hello \\\" world' in l for l in ldraw), \
       'unexpected ldraw contents'
 
+def test_1314():
+    '''
+    test that a large font size that produces an overflow in Pango is rejected
+    https://gitlab.com/graphviz/graphviz/-/issues/1314
+    '''
+
+    # locate our associated test case in this directory
+    input = os.path.join(os.path.dirname(__file__), '1314.dot')
+    assert os.path.exists(input), 'unexpectedly missing test case'
+
+    # ask Graphviz to process it, which should fail
+    try:
+      subprocess.check_call(['dot', '-Tsvg', '-o', os.devnull, input])
+    except subprocess.CalledProcessError:
+      return
+
+    # the execution did not fail as expected
+    pytest.fail('dot incorrectly exited with success')
+
 def test_1436():
     '''
     test a segfault from https://gitlab.com/graphviz/graphviz/-/issues/1436 has