`open_face_from_buffer` allocates a new `FT_Stream` to pass to `ft_open_face_internal`. Because this is an `FT_OPEN_STREAM`, `ft_open_face_internal` will mark this as an 'external stream', which the caller must free. However, `open_face_from_buffer` cannot directly free it because the stream must last as long as the face. There is currently an attempt at this by clearing the 'external stream' bit after `open_face_from_buffer` returns successfully. However, this is too late as the original stream may have already been closed and the stream on the face may not be the same stream as originally passed. It is tempting to use `FT_OPEN_MEMORY` and let `ft_open_face_internal` create the stream internally. However, with this method there is no means to pass through a 'close' function to the created stream to free the underlying data, which must be owned by the stream. A possibility is to check on success if the stream of the face is the same as the original stream. If it is then unset the external flag. If not, then free the original stream. Unfortunately, while no current implementation does so, it is possible that the face still has the original stream somewhere other than as the `FT_FaceRec::stream`. The stream needs to remain available for the life of the face or until it is closed, whichever comes earlier. The approach taken here is to let the stream own itself. When the stream is closed it will free itself. * src/base/ftobjs.c (memory_stream_close): Free `stream`. (open_face_from_buffer): Simplify error handling, since `ft_open_face_internal` always closes `args.stream` on any error. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54930apodtele-master-patch-38950
Ben Wagner
2 years ago
committed by
Werner Lemberg
parent
6a179ff7d5
commit
13983b058e
1 changed files with 3 additions and 16 deletions
Loading…
Reference in new issue