On Thu, 2008-04-03 at 11:09 -0700, Carl Worth wrote: > On Thu, 3 Apr 2008 17:28:37 +0200, Davide Viti wrote: > > I get the following error when creating pdf (or ps) charts for > > FreeSerifItalic.ttf > > > > [EMAIL PROTECTED]:~/dejavu/freefont$ fntsample -f FreeSerifItalic.ttf -o > > test.pdf > > fntsample: /home/dajobe/dev/debian/cairo/cairo-1.4.14/src/cairo-array.c:301: > > _cairo_array_allocate: Assertion `array->num_elements + num_elements > > <= array->size' failed. > > Davide, > > Thanks so much for the bug report, (particularly with the nice easy > recipe for replicating the bug).
My investigations suggest that the cause of the assertion failure is an integer overflow during _cairo_array_grow_by() due to this chunk in cairo-truetype-subset.c (line 574): if (be16_to_cpu (header.index_to_loc_format) == 0) { begin = be16_to_cpu (u.short_offsets[index]) * 2; end = be16_to_cpu (u.short_offsets[index + 1]) * 2; } else { begin = be32_to_cpu (u.long_offsets[index]); end = be32_to_cpu (u.long_offsets[index + 1]); } size = end - begin; /* <--overflow */ I've added some defensive code to treat the symptoms, but I don't know whether the root cause is either a bad font or that we are misinterpreting it. -- Chris Wilson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]