shithub: freetype+ttf2subf

git/fs: mount .git/fs: mount/attach disallowed

--- a/ChangeLog

+++ b/ChangeLog

@@ -1,3 +1,14 @@

+2010-09-17  suzuki toshiya  <[email protected]>

+	[truetype] Don't duplicate size->twilight structure to be freed.

+	* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate

+	FT_GlyphZoneRec size->twilight to be freed.  If duplicated,

+	FT_FREE() erases the duplicated pointers only and leave original

+	pointers.  They can cause the double-free crash when the burst

+	errors occur in TrueType interpreter and free_buffer_in_size()

+	is invoked repeatedly.  See Savannah bug #31040 for detail.

 2010-09-15  Werner Lemberg  <[email protected]>

 	Make bytecode debugging with FontForge work again.

--- a/src/truetype/ttinterp.c

+++ b/src/truetype/ttinterp.c

@@ -7364,9 +7364,8 @@

   static void

   free_buffer_in_size( TT_ExecContext  exc )

-    FT_Memory        memory = exc->memory;

-    TT_Size          size = exc->size;

-    TT_GlyphZoneRec  twilight;

+    FT_Memory  memory = exc->memory;

+    TT_Size    size = exc->size;

     if ( !size )

@@ -7381,18 +7380,16 @@

     if ( size->storage )

       FT_FREE( size->storage );

-    twilight = size->twilight;

-    if ( twilight.org )

-      FT_FREE( twilight.org );

-    if ( twilight.cur )

-      FT_FREE( twilight.cur );

-    if ( twilight.orus )

-      FT_FREE( twilight.orus );

-    if ( twilight.tags )

-      FT_FREE( twilight.tags );

-    if ( twilight.contours )

-      FT_FREE( twilight.contours );

+    if ( size->twilight.org )

+      FT_FREE( size->twilight.org );

+    if ( size->twilight.cur )

+      FT_FREE( size->twilight.cur );

+    if ( size->twilight.orus )

+      FT_FREE( size->twilight.orus );

+    if ( size->twilight.tags )

+      FT_FREE( size->twilight.tags );

+    if ( size->twilight.contours )

+      FT_FREE( size->twilight.contours );