[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ft-devel] ttfautohint: freeing invalid pointer on composite glyph in TA
From: |
Nikolaus Waxweiler |
Subject: |
[ft-devel] ttfautohint: freeing invalid pointer on composite glyph in TA_sfnt_build_delta_exceptions() |
Date: |
Wed, 17 Jan 2018 22:49:49 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 |
Hi list,
we stumbled over the following issue that is present since at least 1.7:
1. Unzip test.zip
2. fontmake -u test.ufo/ -o ttf
3. ttfautohint -l 8 -r 50 -G 50 -x 14 -D latn -f latn -m test.ctrl -w G
-X "" master_ttf/.ttf test.ttf --symbol
The program aborts with "munmap_chunk(): invalid pointer" at
tabytecode.c:1130, which is "free(delta_before_IUP_args[i])". `i` always
seems to be 4 here.
(gdb) print *(delta_before_IUP_args[4])
$6 = 207
(gdb) print num_delta_before_IUP_args
$7 = {0, 0, 0, 22, 0, 0}
The values in the control file are arbitrary, and the crash happens on a
composite glyph that just references another.
Backtrace:
#0 0x00007ffff635f66b in raise () from /lib64/libc.so.6
#1 0x00007ffff6361381 in abort () from /lib64/libc.so.6
#2 0x00007ffff63a9a57 in __libc_message () from /lib64/libc.so.6
#3 0x00007ffff63b09aa in malloc_printerr () from /lib64/libc.so.6
#4 0x00007ffff63b9224 in free () from /lib64/libc.so.6
#5 0x00007ffff7ba0bf9 in TA_sfnt_build_delta_exceptions (
sfnt=<optimized out>, sfnt=<optimized out>, bufp=0x6bbe23 "", idx=79,
font=<optimized out>) at tabytecode.c:1130
#6 TA_sfnt_build_glyph_instructions (address@hidden,
address@hidden, address@hidden) at tabytecode.c:3017
#7 0x00007ffff7bb104b in TA_sfnt_build_glyf_hints (font=0x6264a0,
sfnt=0x639b10) at taglyf.c:39
#8 TA_sfnt_build_glyf_table (address@hidden,
address@hidden) at taglyf.c:835
#9 0x00007ffff7bbf88b in TTF_autohint (options=<optimized out>,
address@hidden "in-file, out-file,
control-file,reference-file, reference-index,
reference-name,hinting-range-min, hinting-range-max,
hinting-limit,gray-stem-width-mode,
gdi-cleartype-stem-width-mode,dw-cleartype-ste"...)
at ttfautohint.c:737
#10 0x0000000000402901 in main (argc=<optimized out>, argv=<optimized out>)
at main.cpp:1507
test.zip
Description: Zip archive
- [ft-devel] ttfautohint: freeing invalid pointer on composite glyph in TA_sfnt_build_delta_exceptions(),
Nikolaus Waxweiler <=