rgraves
/
freetype2
forked from minhngoc25a/freetype2
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[truetype] Don't duplicate size->twilight structure to be freed. 

* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
FT_GlyphZoneRec size->twilight to be freed.  If duplicated,
FT_FREE() erases the duplicated pointers only and leave original
pointers.  They can cause the double-free crash when the burst
errors occur in TrueType interpreter and free_buffer_in_size()
is invoked repeatedly.  See Savannah bug #31040 for detail.
This commit is contained in:
suzuki toshiya 2010-09-17 23:20:00 +09:00
parent afd89d309d
commit db053ec9a5
2 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2010-09-17 suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
[truetype] Don't duplicate size->twilight structure to be freed.
* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
FT_GlyphZoneRec size->twilight to be freed. If duplicated,
FT_FREE() erases the duplicated pointers only and leave original
pointers. They can cause the double-free crash when the burst
errors occur in TrueType interpreter and free_buffer_in_size()
is invoked repeatedly. See Savannah bug #31040 for detail.
2010-09-15 Werner Lemberg <wl@gnu.org>
Make bytecode debugging with FontForge work again.

27
src/truetype/ttinterp.c
View File

@ -7364,9 +7364,8 @@
static void
free_buffer_in_size( TT_ExecContext exc )
{
FT_Memory memory = exc->memory;
TT_Size size = exc->size;
TT_GlyphZoneRec twilight;
FT_Memory memory = exc->memory;
TT_Size size = exc->size;
if ( !size )
@ -7381,18 +7380,16 @@
if ( size->storage )
FT_FREE( size->storage );
twilight = size->twilight;
if ( twilight.org )
FT_FREE( twilight.org );
if ( twilight.cur )
FT_FREE( twilight.cur );
if ( twilight.orus )
FT_FREE( twilight.orus );
if ( twilight.tags )
FT_FREE( twilight.tags );
if ( twilight.contours )
FT_FREE( twilight.contours );
if ( size->twilight.org )
FT_FREE( size->twilight.org );
if ( size->twilight.cur )
FT_FREE( size->twilight.cur );
if ( size->twilight.orus )
FT_FREE( size->twilight.orus );
if ( size->twilight.tags )
FT_FREE( size->twilight.tags );
if ( size->twilight.contours )
FT_FREE( size->twilight.contours );
}