freetype-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ft-devel] ftview/ftstring segfault with -e unic

From: Jens Claudius
Subject: Re: [ft-devel] ftview/ftstring segfault with -e unic
Date: Sun, 14 May 2006 05:47:56 -0700 (PDT) 
First off, sorry for not posting to the correct thread, but I turned
off mail delivery for my freetype-devel subscription and now I’m unable
to reply to specific messages. (I have turned mail delivery on now).

The bug is in FTC_CMapCache_Lookup() if you compile with
FT_CONFIG_OPTION_OLD_INTERNALS. Here’s a manually created stack dump:

FTC_CMapCache_Lookup()          ftccmap.c:310
FTDemo_Get_Index()              ftcommon.c:620
Render_All()                    ftview.c:276
main()                          ftview.c:1095

FTC_CMapCache_Lookup() is called with cmap_index=4 and
face_id is a (struct TFont_*), which points to
{
  filepathname = 0x595ab0 "KozMinProVI-Regular.otf", 
  face_index   = 0,
  cmap_index   = 4,
  num_indices  = 1114112,
  file_address = 0x0,
  file_size    = 0
}.

Since cmap_index >= 4, FTC_CMapCache_Lookup() assumes a “rogue client” and
casts
face_id to FTC_OldCMapDesc, which is
{
  face_id = 0x595ab0,
  type    = FTC_OLD_CMAP_BY_INDEX,
  u       = {
              index    = 4,
              encoding = 4,
              id = {
                     platform = 4,
                     encoding = 1114112
                   }
            }
}

and then at line 316 sets query.face_id = ((FTC_OldCMapDesc) face_id)->face_id
instead of query.face_id = face_id as it would do on line 351. On line 381
FTC_Manager_LookupFace() passes node->face_id, which is now
face_id->filepathname.
This is passed down to my_face_requester() in ftcommon.c, which interprets this
as a PFont. Here’s the stack dump from gdb:

#0  0x00002ade51b3b0c6 in FT_Stream_ReadLong (stream=0x595a20,
error=0x7fffffc5649c)
    at ftstream.c:635
#1  0x00002ade51b68b79 in sfnt_init_face (stream=0x595a20, face=0x53f750,
face_index=1932487777, 
    num_params=<value optimized out>, params=<value optimized out>) at
sfobjs.c:377
#2  0x00002ade51b47e93 in tt_face_init (stream=0x595a20, ttface=0x53f750,
face_index=1932487777, 
    num_params=0, params=0x0) at ttobjs.c:191
#3  0x00002ade51b3cb77 in open_face (driver=0x522290, stream=0x595a20,
face_index=1932487777, 
    num_params=0, params=0x0, aface=0x7fffffc56780) at ftobjs.c:987
#4  0x00002ade51b3df70 in FT_Open_Face (library=0x51e100, args=0x7fffffc567d8, 
    face_index=1932487777, aface=0x53f738) at ftobjs.c:1694
#5  0x00002ade51b3ea26 in FT_New_Memory_Face (library=0x595a20,
file_base=<value optimized out>, 
    file_size=<value optimized out>, face_index=140737484514676,
aface=0x65626f64612f6678)
    at ftobjs.c:1073
#6  0x0000000000404758 in my_face_requester (face_id=0x595ab0, lib=0x595a20, 
    request_data=<value optimized out>, aface=0x53f738)
    at /var/tmp/portage/freetype-2.2.1/work/ft2demos-2.2.1/src/ftcommon.c:204
#7  0x00002ade51b77269 in ftc_face_node_init (ftcnode=0x53f720,
ftcface_id=0x595a20, 
    ftcmanager=0x0) at ftcmanag.c:237
#8  0x00002ade51b75e51 in FTC_MruList_New (list=0x526118, key=0x595ab0,
anode=0x7fffffc56908)
    at ftcmru.c:269
#9  0x00002ade51b75f28 in FTC_Manager_LookupFace (manager=0x526060,
face_id=0x595ab0, 
    aface=0x7fffffc56970) at ftcmanag.c:319
#10 0x00002ade51b775f4 in FTC_CMapCache_Lookup (cmap_cache=0x526480, 
    face_id=<value optimized out>, cmap_index=4, char_code=4) at ftccmap.c:381


How this is to solved is left as an exercise to the reader...

Jens

PS: By the way, is the num_indices = 1114112 above OK?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
reply via email to
[Prev in Thread] Current Thread [Next in Thread]