[truetype] Fix assertion failure.

Triggered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10212 * src/truetype/ttgload.c (load_truetype_glyph): Reintroduce `opened_frame' (removed in a change from 2018-08-26) to handle dealloation of the second frame.
6 years ago · 1c04eed76f
parent f8af8fba78
commit 1c04eed76f
2 changed files with 21 additions and 0 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+2018-09-07  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix assertion failure.
+
+	Triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10212
+
+	* src/truetype/ttgload.c (load_truetype_glyph): Reintroduce
+	`opened_frame' (removed in a change from 2018-08-26) to handle
+	dealloation of the second frame.
+
 2018-09-05  Werner Lemberg  <wl@gnu.org>

 	Synchronize `ftdebug.c' files.
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@ -1537,6 +1537,8 @@
    TT_Face         face    = loader->face;
    FT_GlyphLoader  gloader = loader->gloader;

+    FT_Bool  opened_frame = 0;
+
 #ifdef FT_CONFIG_OPTION_INCREMENTAL
    FT_StreamRec    inc_stream;
    FT_Data         glyph_data;
@ -1768,6 +1770,8 @@
    if ( error )
      goto Exit;

+    opened_frame = 1;
+
    /* if it is a simple glyph, load it */

    if ( loader->n_contours > 0 )
@ -1778,6 +1782,7 @@

      /* all data have been read */
      face->forget_glyph_frame( loader );
+      opened_frame = 0;

      error = TT_Process_Simple_Glyph( loader );
      if ( error )
@ -1851,6 +1856,7 @@

      /* all data we need are read */
      face->forget_glyph_frame( loader );
+      opened_frame = 0;

 #ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT

@ -2105,6 +2111,9 @@

  Exit:

+    if ( opened_frame )
+      face->forget_glyph_frame( loader );
+
 #ifdef FT_CONFIG_OPTION_INCREMENTAL

    if ( glyph_data_loaded )