[Devel] bug in ttload.c v2.1.8

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Devel] bug in ttload.c v2.1.8

From:	Gordon Childs
Subject:	[Devel] bug in ttload.c v2.1.8
Date:	Wed, 28 Apr 2004 11:57:58 +1000

In tt_face_load_names the name table is setup early on the in the
function, specifically numNameRecords. At this point the names

field of the name table is still null. If, for any reason, somethinggoes

wrong here (for me it's the loading of the names themselves) then
we exit with names still null and numNameRecords non zero.

Later, in tt_face_free_names, this happens:

    FT_Memory     memory = face->root.driver->root.memory;
    TT_NameTable  table  = &face->name_table;
    TT_NameEntry  entry  = table->names;
    FT_UInt       count  = table->numNameRecords;


    for ( ; count > 0; count--, entry++ )
    {
      FT_FREE( entry->string );
      entry->stringLength = 0;
    }

entry is null and so FT_FREE goes of and tries to free 0 + smalloffset
and segfaults.

I guess either tt_face_free_names should check for a null names pointer
or tt_face_load_names should clean up the name table. I think the former
would be simpler...

I first encountered this bug in version 2.1.4 and see that it is stillpresent

in 2.1.8.

Reading the 2.1.8 release notes, it looks like the broken type1 parsing
has been fixed and there is now no reason not to upgrade! (I hope).
Keep up the great work!

[Prev in Thread]

Current Thread

[Next in Thread]

[Devel] bug in ttload.c v2.1.8, Gordon Childs <=

Prev by Date: [Devel] most stable release?
Next by Date: Re: [Devel] most stable release?
Previous by thread: [Devel] most stable release?
Next by thread: [Devel] unix configure script bug
Index(es):
- Date
- Thread