FcFreeTypeQueryFace allocates dynamic memory for its local pointers hashstr and fontdata, which are freed in case of error (under bail1 label) but not when the function succeeds. They should also be freed after last use. Reproducible: Always Steps to Reproduce: Run fc-query under valgrind. The actual font file doesn't matter much, except for some fonts there is only one leak (of hashstr), not two. Actual Results: $ valgrind --leak-check=full --show-possibly-lost=no /usr/bin/fc-query /usr/share/fonts/dejavu/DejaVuSerif-Bold.ttf ==15589== Memcheck, a memory error detector ==15589== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==15589== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==15589== Command: /usr/bin/fc-query /usr/share/fonts/dejavu/DejaVuSerif-Bold.ttf ==15589== Pattern has 22 elts (size 32) # normal output skipped... ==15589== ==15589== HEAP SUMMARY: ==15589== in use at exit: 341,192 bytes in 2 blocks ==15589== total heap usage: 233 allocs, 231 frees, 409,543 bytes allocated ==15589== ==15589== 72 bytes in 1 blocks are definitely lost in loss record 1 of 2 ==15589== at 0x402BDC8: malloc (vg_replace_malloc.c:270) ==15589== by 0x406D6C9: FcHashSHA256ToString (fchash.c:145) ==15589== by 0x406DADA: FcHashGetSHA256DigestFromMemory (fchash.c:319) ==15589== by 0x406D022: FcFreeTypeQueryFace (fcfreetype.c:1679) ==15589== by 0x406D153: FcFreeTypeQuery (fcfreetype.c:1811) ==15589== by 0x8048B07: main (fc-query.c:148) ==15589== ==15589== 341,120 bytes in 1 blocks are definitely lost in loss record 2 of 2 ==15589== at 0x402BDC8: malloc (vg_replace_malloc.c:270) ==15589== by 0x406CFB7: FcFreeTypeQueryFace (fcfreetype.c:1672) ==15589== by 0x406D153: FcFreeTypeQuery (fcfreetype.c:1811) ==15589== by 0x8048B07: main (fc-query.c:148) ==15589== ==15589== LEAK SUMMARY: ==15589== definitely lost: 341,192 bytes in 2 blocks ==15589== indirectly lost: 0 bytes in 0 blocks ==15589== possibly lost: 0 bytes in 0 blocks ==15589== still reachable: 0 bytes in 0 blocks ==15589== suppressed: 0 bytes in 0 blocks ==15589== ==15589== For counts of detected and suppressed errors, rerun with: -v ==15589== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Expected Results: $ valgrind --leak-check=full --show-possibly-lost=no /usr/bin/fc-query /usr/share/fonts/dejavu/DejaVuSerif-Bold.ttf ==25913== Memcheck, a memory error detector ==25913== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==25913== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==25913== Command: /usr/bin/fc-query /usr/share/fonts/dejavu/DejaVuSerif-Bold.ttf ==25913== # normal output skipped... ==25913== ==25913== HEAP SUMMARY: ==25913== in use at exit: 0 bytes in 0 blocks ==25913== total heap usage: 233 allocs, 233 frees, 409,543 bytes allocated ==25913== ==25913== All heap blocks were freed -- no leaks are possible ==25913== ==25913== For counts of detected and suppressed errors, rerun with: -v ==25913== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Created attachment 370234 [details, diff] patch of fcfreetype.c Patch is against source already patched by fontconfig-2.10.92 ebuild.
No vulnerable versions in gentoo repo any more.
(In reply to Ben de Groot from comment #2) > No vulnerable versions in gentoo repo any more. Thank you... closing.