[truetype] Don't duplicate size->twilight structure to be freed.

* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate FT_GlyphZoneRec size->twilight to be freed. If duplicated, FT_FREE() erases the duplicated pointers only and leave original pointers. They can cause the double-free crash when the burst errors occur in TrueType interpreter and free_buffer_in_size() is invoked repeatedly. See Savannah bug #31040 for detail.
15 years ago · db053ec9a5
parent afd89d309d
commit db053ec9a5
2 changed files with 23 additions and 15 deletions
--- a/11
+++ b/11
@ -1,3 +1,14 @@
+2010-09-17  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	[truetype] Don't duplicate size->twilight structure to be freed.
+
+	* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
+	FT_GlyphZoneRec size->twilight to be freed.  If duplicated,
+	FT_FREE() erases the duplicated pointers only and leave original
+	pointers.  They can cause the double-free crash when the burst
+	errors occur in TrueType interpreter and free_buffer_in_size()
+	is invoked repeatedly.  See Savannah bug #31040 for detail.
+
 2010-09-15  Werner Lemberg  <wl@gnu.org>

 	Make bytecode debugging with FontForge work again.
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@ -7364,9 +7364,8 @@
  static void
  free_buffer_in_size( TT_ExecContext  exc )
  {
-    FT_Memory        memory = exc->memory;
-    TT_Size          size = exc->size;
-    TT_GlyphZoneRec  twilight;
+    FT_Memory  memory = exc->memory;
+    TT_Size    size = exc->size;


    if ( !size )
@ -7381,18 +7380,16 @@
    if ( size->storage )
      FT_FREE( size->storage );

-    twilight = size->twilight;
-
-    if ( twilight.org )
-      FT_FREE( twilight.org );
-    if ( twilight.cur )
-      FT_FREE( twilight.cur );
-    if ( twilight.orus )
-      FT_FREE( twilight.orus );
-    if ( twilight.tags )
-      FT_FREE( twilight.tags );
-    if ( twilight.contours )
-      FT_FREE( twilight.contours );
+    if ( size->twilight.org )
+      FT_FREE( size->twilight.org );
+    if ( size->twilight.cur )
+      FT_FREE( size->twilight.cur );
+    if ( size->twilight.orus )
+      FT_FREE( size->twilight.orus );
+    if ( size->twilight.tags )
+      FT_FREE( size->twilight.tags );
+    if ( size->twilight.contours )
+      FT_FREE( size->twilight.contours );
  }