[Devel] Bug in 2.1.4 - ttgload.c - segfault (list newbie)

[Tilman Kranz]

Hello FreeType Developers,

I am new to this list, if the posting is malformatted please 
excuse any inconveniences.

Since this appears to be the supported way of reporting bugs
I want to submit a report to here that refers to current stable
2.1.4 on Linux 2.4.19 x86, glibc 2.2.5, compiled with "configure 
--prefix=/some/cool/dir ; make".

I use freetype 2.1.4 with fontconfig 2.2.90 and Xft 2.1.2
for GTK 2.2.3, Pango 1.2.5 applications.

I have a series of low-quality TTF fonts which are
indexed by fontconfig and thus get used by Pango..GTK.
One of these (I have not been able to track the specific font file
causing the error down yet) causes TT_Load_Simple_Glyph
and TT_Process_Simple_Glyp in "./src/truetype/ttgload.c"
to segfault thus causing any GTK application to segfault.

The error conditions arises in TT_Load_Simple_Glyph at
the code near line 379:

   outline = &gloader->current.outline;
   
   ...
   
   {
   
      FT_Byte*  limit = flag + n_points;

      ...

I have a condition where flag is 0x0, thus causing any access
operation to segfault. I have appended "if(!flag)return error;"
as a quickfix.

The error condition arises in TT_Process_Simple_Glyph
at the code near line 658:

   pp1    = outline->points + n_points;
   pp1->x = load->bbox.xMin - load->left_bearing;

again, pp1 may be 0x0 which will lead to segfault in the access
operation. I have inserted "if(!pp1)return error;" as a
quickfix.

Our GTK/Pango applications work fine since the quickfix.
If this is a known problem, please let me know. Otherwise I'll 
try to determine which font actually lead to the conditions
described above and publish an update to this posting.

Bye,
Tilman.