On Nov 4, 2008, at 1:16 PM, Graham Asher wrote:
The title says it all really. I discovered this when by forcing
random heap
allocation failures - a technique we used to use at Symbian.
If this line fails in ft_glyphslot_init
if ( FT_NEW( internal ) )
then slot-internal is null, and when FT_New_GlyphSlot detects the
error and
calls ft_glyphslot_done, it calls ft_glyphslot_free_bitmap. which
dies with
a null pointer access.
FT_BASE_DEF( void )
ft_glyphslot_free_bitmap( FT_GlyphSlot slot )
{
if ( slot-internal-flags FT_GLYPH_OWN_BITMAP ) // CRASH!
{
FT_Memory memory = FT_FACE_MEMORY( slot-face );
FT_FREE( slot-bitmap.buffer );
slot-internal-flags = ~FT_GLYPH_OWN_BITMAP;
}
else
{
/* assume that the bitmap buffer was stolen or not */
/* allocated from the heap */
slot-bitmap.buffer = NULL;
}
}
Suggested fix : change
if ( slot-internal-flags FT_GLYPH_OWN_BITMAP )
to
if (slot (slot-internal-flags FT_GLYPH_OWN_BITMAP) )
If the danger is that maybe slot-internal==NULL, shouldn't the test
be this instead?
if (slot-internal (slot-internal-flags
FT_GLYPH_OWN_BITMAP) )
?
If there's also a danger of slot==NULL then a solution would be to put
if ( ! slot) return;
at the beginning, or surround the whole function with
if (slot) {...}
Otherwise the else part would still crash if slot==NULL.
Tom
Best regards,
Graham Asher
___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel
文林 Wenlin Institute, Inc.Software for Learning Chinese
E-mail: [EMAIL PROTECTED] Web: http://www.wenlin.com
Telephone: 1-877-4-WENLIN (1-877-493-6546)
☯
___
Freetype-devel mailing list
Freetype-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/freetype-devel
