[cairo-bugs] [Bug 102922] evince abrt on a double free in cairo_truetype_font_destroy

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Sep 21 19:12:24 UTC 2017


https://bugs.freedesktop.org/show_bug.cgi?id=102922

--- Comment #4 from Uli Schlachter <psychon at znc.in> ---
> ==7173== Invalid write of size 8
> ==7173==    at 0x6C86FD7: cairo_truetype_font_write_glyf_table (cairo-truetype-subset.c:690)
> ==7173==    by 0x6C8858B: cairo_truetype_font_generate (cairo-truetype-subset.c:978)
> ==7173==    by 0x6C8858B: cairo_truetype_subset_init_internal (cairo-truetype-subset.c:1146)
[...]
> ==7173==  Address 0x166d0558 is 8 bytes after a block of size 160 alloc'd
> ==7173==    at 0x4C31B25: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==7173==    by 0x6C87FAF: _cairo_truetype_font_create (cairo-truetype-subset.c:205)
> ==7173==    by 0x6C87FAF: cairo_truetype_subset_init_internal (cairo-truetype-subset.c:1134)


Line 690 is

> font->glyphs[i].location = next - start_offset;

The only statement modifying variable i is:

> for (i = 0; i < font->base.num_glyphs; i++) {

Since the above line is outside of this for-loop, i is at most
font->base.num_glyphs.

Looking a bit more at the callers, init_internal allocates the font with
_cairo_truetype_font_create(), which does:

> font->glyphs = calloc (font->num_glyphs_in_face + 1, sizeof (subset_glyph_t));

(I think) "num_glyphs_in_face" is (supposed to be) the number of glyphs in the
original font and "base.num_glyphs" is the number of glyphs which ended up in
the subsetted font. No idea why this manages to subset more glyphs than the
font even has. There are more numbers involved here
(cairo_truetype_subset_init_internal() uses
font->scaled_font_subset->num_glyphs...).

Behdad, ideas?

@Sebastian: You could try adding assert(font->base.num_glyphs <
font->num_glyphs_in_face); before the end of cairo_truetype_font_use_glyph().
This assert should trigger earlier than what valgrind can detect (ignore the
error which is only detected during free(), that's longer after things went
wrong). Hopefully the backtrace for this one would be more useful, but I am
just guessing here.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170921/413b7a01/attachment.html>


More information about the cairo-bugs mailing list