[ft-devel] FT_New_GlyphSlot crashes if out of memory allocating slot->internal

Graham Asher Tue, 04 Nov 2008 13:16:27 -0800

The title says it all really. I discovered this when by forcing random heap
allocation failures - a technique we used to use at Symbian.


If this line fails in ft_glyphslot_init

    if ( FT_NEW( internal ) )

then slot->internal is null, and when FT_New_GlyphSlot detects the error and
calls ft_glyphslot_done, it calls ft_glyphslot_free_bitmap. which dies with
a null pointer access.

  FT_BASE_DEF( void )
  ft_glyphslot_free_bitmap( FT_GlyphSlot  slot )
  {
    if ( slot->internal->flags & FT_GLYPH_OWN_BITMAP ) // CRASH!
    {
      FT_Memory  memory = FT_FACE_MEMORY( slot->face );


      FT_FREE( slot->bitmap.buffer );
      slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
    }
    else
    {
      /* assume that the bitmap buffer was stolen or not */
      /* allocated from the heap                         */
      slot->bitmap.buffer = NULL;
    }
  }

Suggested fix : change

    if ( slot->internal->flags & FT_GLYPH_OWN_BITMAP )

to

    if (slot && (slot->internal->flags & FT_GLYPH_OWN_BITMAP) )

Best regards,

Graham Asher




_______________________________________________
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel

[ft-devel] FT_New_GlyphSlot crashes if out of memory allocating slot->internal

Reply via email to