[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Devel] bug in ttload.c v2.1.8
From: |
Gordon Childs |
Subject: |
[Devel] bug in ttload.c v2.1.8 |
Date: |
Wed, 28 Apr 2004 11:57:58 +1000 |
In tt_face_load_names the name table is setup early on the in the
function, specifically numNameRecords. At this point the names
field of the name table is still null. If, for any reason, something
goes
wrong here (for me it's the loading of the names themselves) then
we exit with names still null and numNameRecords non zero.
Later, in tt_face_free_names, this happens:
FT_Memory memory = face->root.driver->root.memory;
TT_NameTable table = &face->name_table;
TT_NameEntry entry = table->names;
FT_UInt count = table->numNameRecords;
for ( ; count > 0; count--, entry++ )
{
FT_FREE( entry->string );
entry->stringLength = 0;
}
entry is null and so FT_FREE goes of and tries to free 0 + smalloffset
and segfaults.
I guess either tt_face_free_names should check for a null names pointer
or tt_face_load_names should clean up the name table. I think the former
would be simpler...
I first encountered this bug in version 2.1.4 and see that it is still
present
in 2.1.8.
Reading the 2.1.8 release notes, it looks like the broken type1 parsing
has been fixed and there is now no reason not to upgrade! (I hope).
Keep up the great work!
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Devel] bug in ttload.c v2.1.8,
Gordon Childs <=