shithub: freetype+ttf2subf

Download patch

ref: c6788a389d9003c5c6b86f30047e05658416f7d6
parent: 2f2b780e00235356ffcf1e8f98e19f3bb1910ed2
author: Werner Lemberg <[email protected]>
date: Sun Jun 7 09:09:21 EDT 2009 

Fix some potential out-of-memory crashes.

* src/base/ftobjs.c (ft_glyphslot_done): Check `slot->internal'.
* src/base/ftstream.c (FT_Stream_ReleaseFrame): Check `stream'.
* src/truetype/ttinterp.c (TT_New_Context): Avoid double-free of
`exec' in case of failure.

git/fs: mount .git/fs: mount/attach disallowed 
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2009-06-07  Harald Fernengel  <[email protected]>
+
+	Fix some potential out-of-memory crashes.
+
+	* src/base/ftobjs.c (ft_glyphslot_done): Check `slot->internal'.
+	* src/base/ftstream.c (FT_Stream_ReleaseFrame): Check `stream'.
+	* src/truetype/ttinterp.c (TT_New_Context): Avoid double-free of
+	`exec' in case of failure.
+
 2009-06-07  Werner Lemberg  <[email protected]>
 
 	Simplify math.
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -348,14 +348,18 @@
     /* free bitmap buffer if needed */
     ft_glyphslot_free_bitmap( slot );
 
-    /* free glyph loader */
-    if ( FT_DRIVER_USES_OUTLINES( driver ) )
+    /* slot->internal might be NULL in out-of-memory situations */
+    if ( slot->internal )
     {
-      FT_GlyphLoader_Done( slot->internal->loader );
-      slot->internal->loader = 0;
-    }
+      /* free glyph loader */
+      if ( FT_DRIVER_USES_OUTLINES( driver ) )
+      {
+        FT_GlyphLoader_Done( slot->internal->loader );
+        slot->internal->loader = 0;
+      }
 
-    FT_FREE( slot->internal );
+      FT_FREE( slot->internal );
+    }
   }
 
 
--- a/src/base/ftstream.c
+++ b/src/base/ftstream.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    I/O stream support (body).                                           */
 /*                                                                         */
-/*  Copyright 2000-2001, 2002, 2004, 2005, 2006, 2008 by                   */
+/*  Copyright 2000-2001, 2002, 2004, 2005, 2006, 2008, 2009 by             */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -211,7 +211,7 @@
   FT_Stream_ReleaseFrame( FT_Stream  stream,
                           FT_Byte**  pbytes )
   {
-    if ( stream->read )
+    if ( stream && stream->read )
     {
       FT_Memory  memory = stream->memory;
 
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -791,9 +791,9 @@
 
       /* allocate object */
       if ( FT_NEW( exec ) )
-        goto Exit;
+        goto Fail;
 
-      /* initialize it */
+      /* initialize it; in case of error this deallocates `exec' too */
       error = Init_Context( exec, memory );
       if ( error )
         goto Fail;
@@ -802,13 +802,10 @@
       driver->context = exec;
     }
 
-  Exit:
     return driver->context;
 
   Fail:
-    FT_FREE( exec );
-
-    return 0;
+    return NULL;
   }