bound ft2font stream read to the requested count#31857
Conversation
|
Thank you for opening your first PR into Matplotlib! If you have not heard from us in a week or so, please leave a new comment below and that should bring it to our attention. Most of our reviewers are volunteers and sometimes things fall through the cracks. We also ask that you please finish addressing any review comments on this PR and wait for it to be merged (or closed) before opening a new one, as it can be a valuable learning experience to go through the review process. You can also join us on discourse chat for real-time discussion. For details on testing, writing docs, and our review process, please see the developer guide. We strive to be a welcoming and open project. Please follow our Code of Conduct. |
|
I used AI tools (Claude and ChatGPT) to help with code navigation, repository research, and understanding the relevant code paths. The investigation, validation, testing, and final code changes were performed and verified manually by me. I understand the change and can answer questions about the implementation and reasoning behind it. |
2 participants
read_from_file_callback copies len(file.read(count)) bytes into the buffer FreeType hands it, but that buffer is only sized for count. When a font is opened from a binary-mode file object (the io.BinaryIO path), nothing obliges the object's read() to honor the requested size, so a read() that returns more than count walks past the end of the FreeType buffer and corrupts the heap.
Cap n_read at count before the memcpy so both the copy and the returned length stay inside the allocated buffer. Before, an over-long read wrote out of bounds; after, the surplus bytes are dropped and FreeType just sees a full-buffer read. The bound sits in the callback because FreeType owns the buffer size, not the caller; the only tradeoff is that a file object returning more than it was asked for loses the bytes past count, which were never going to be used.