From dec8e7b97dd10e72890f785c98c9cd8fae8185b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Suzuki=2C=20Toshiya=20=28=E9=88=B4=E6=9C=A8=E4=BF=8A?=
 =?UTF-8?q?=E5=93=89=29?= <mpsuzuki@hiroshima-u.ac.jp>
Date: Fri, 19 Sep 2008 16:47:01 +0000
Subject: [PATCH] * src/base/ftobjs.c: Fix double free bug in sfnt-wrapped
 Type1/CID font support

---
 ChangeLog         | 10 ++++++++++
 src/base/ftobjs.c |  2 --
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5b7514448..303b640b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2008-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	* src/base/ftobjs.c (Mac_Read_sfnt_Resource): Fix double free bug
+	in sfnt-wrapped Type1 and sfnt-wrapped CID-keyed font support code.
+	open_face_from_buffer() frees the passed buffer when it cannot
+	open a face from the buffer, so the caller must not free it.
+
 2008-09-19  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
 
 	* src/base/ftobjs.c (Mac_Read_sfnt_Resource): Add initial support
@@ -6,6 +13,9 @@
 	table in sfnt table directory. It is used before loading TrueType
 	font driver.
 
+	* docs/CHANGES: Add note about the current status of sfnt-wrapped
+	Type1 and sfnt-wrapped CID-keyed font support.
+
 2008-09-18  Werner Lemberg  <wl@gnu.org>
 
 	* src/base/ftsystem.c (FT_Done_Memory): Use ft_sfree directly for
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index dc4905f1b..fa9ae7f41 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1539,8 +1539,6 @@
         FT_FREE( sfnt_data );
         goto Exit;
       }
-
-      FT_FREE( sfnt_ps );
     }
   Try_OpenType:
     error = open_face_from_buffer( library,