[truetype] Don't duplicate size->twilight structure to be freed.
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate FT_GlyphZoneRec size->twilight to be freed. If duplicated, FT_FREE() erases the duplicated pointers only and leave original pointers. They can cause the double-free crash when the burst errors occur in TrueType interpreter and free_buffer_in_size() is invoked repeatedly. See Savannah bug #31040 for detail.
This commit is contained in:
parent
afd89d309d
commit
db053ec9a5
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
|||
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
||||
|
||||
[truetype] Don't duplicate size->twilight structure to be freed.
|
||||
|
||||
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
|
||||
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
|
||||
FT_FREE() erases the duplicated pointers only and leave original
|
||||
pointers. They can cause the double-free crash when the burst
|
||||
errors occur in TrueType interpreter and free_buffer_in_size()
|
||||
is invoked repeatedly. See Savannah bug #31040 for detail.
|
||||
|
||||
2010-09-15 Werner Lemberg <wl@gnu.org>
|
||||
|
||||
Make bytecode debugging with FontForge work again.
|
||||
|
|
|
@ -7364,9 +7364,8 @@
|
|||
static void
|
||||
free_buffer_in_size( TT_ExecContext exc )
|
||||
{
|
||||
FT_Memory memory = exc->memory;
|
||||
TT_Size size = exc->size;
|
||||
TT_GlyphZoneRec twilight;
|
||||
FT_Memory memory = exc->memory;
|
||||
TT_Size size = exc->size;
|
||||
|
||||
|
||||
if ( !size )
|
||||
|
@ -7381,18 +7380,16 @@
|
|||
if ( size->storage )
|
||||
FT_FREE( size->storage );
|
||||
|
||||
twilight = size->twilight;
|
||||
|
||||
if ( twilight.org )
|
||||
FT_FREE( twilight.org );
|
||||
if ( twilight.cur )
|
||||
FT_FREE( twilight.cur );
|
||||
if ( twilight.orus )
|
||||
FT_FREE( twilight.orus );
|
||||
if ( twilight.tags )
|
||||
FT_FREE( twilight.tags );
|
||||
if ( twilight.contours )
|
||||
FT_FREE( twilight.contours );
|
||||
if ( size->twilight.org )
|
||||
FT_FREE( size->twilight.org );
|
||||
if ( size->twilight.cur )
|
||||
FT_FREE( size->twilight.cur );
|
||||
if ( size->twilight.orus )
|
||||
FT_FREE( size->twilight.orus );
|
||||
if ( size->twilight.tags )
|
||||
FT_FREE( size->twilight.tags );
|
||||
if ( size->twilight.contours )
|
||||
FT_FREE( size->twilight.contours );
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue