[Fontconfig] Wierd crash

[Adam Sampson]

"James H. Cloos Jr." <cloos at jhcloos.com> writes:

> It seems that /usr/share/fonts/default/Type1/n0190041.pfb --
> NimbusSanL-Bold was to blame.  Moving that file out of fc's paths
> allowed everything to work again.

Argh! I'd run into this a couple of weeks ago after some upgrades, but
since I had my head buried in project work at the time I'd just
removed that directory from my font path, intending to come back
later...

This is on my homebrew x86 Linux system, which is Gentoo-ish in that
I'm using bleeding-edge versions of pretty much everything. Running it
under valgrind, it looks like FreeType calling free() on an invalid
pointer:

==30276== 9 errors in context 1 of 2:
==30276== Invalid free() / delete / delete[]
==30276==    at 0x3C01E908: free (vg_replace_malloc.c:127)
==30276==    by 0x3C07831C: ft_free (ftsystem.c:157)
==30276==    by 0x3C0786C9: FT_Free (ftutil.c:134)
==30276==    by 0x3C0B7B7E: T1_Face_Done (t1objs.c:233)
==30276==    by 0x3C07BEF0: destroy_face (ftobjs.c:695)
==30276==    by 0x3C07C302: FT_Done_Face (ftobjs.c:1838)
==30276==    by 0x3C03310C: FcFreeTypeQuery (fcfreetype.c:917)
==30276==    by 0x3C031972: FcFileScan (fcdir.c:113)
==30276==    by 0x3C031E17: FcDirScan (fcdir.c:221)
==30276==    by 0x8048DF7: scanDirs (fc-cache.c:166)
==30276==    by 0x804919B: main (fc-cache.c:278)
==30276==  Address 0x150000 is not stack'd, malloc'd or free'd

[and another 9 with the same backtrace and:]
==30276==  Address 0x1 is not stack'd, malloc'd or free'd

This is while FreeType is freeing the paint_type field in a T1_Font
structure, which is declared as an FT_Byte * but read using
T1_FIELD_TYPE_INTEGER. This looks to me like a FreeType bug:
T1_FIELD_TYPE_INTEGER expects to write into an FT_Byte, not an FT_Byte
*, so that field (which I couldn't find any users of anyway!)
shouldn't be a pointer, and shouldn't get freed. (font_type,
immediately below it in the structure, is an FT_Byte that's read that
way; stroke_width, the next FT_Free(), has the same problem.)

I've changed both paint_type and stroke_fixed to not be pointers in
T1_Font on my copy of freetype-2.1.5, and this seems to fix the
problem, but this is the first time I've looked at the FreeType code,
so it's possible I've just misunderstood something. If anyone else can
confirm that my suspicions are correct, then I'll submit this to the
FreeType people as a fix:

diff -Nru tmp/freetype-2.1.5/include/freetype/internal/t1types.h work/freetype-2.1.5/include/freetype/internal/t1types.h
--- tmp/freetype-2.1.5/include/freetype/internal/t1types.h	2003-05-30 10:12:47.000000000 +0100
+++ work/freetype-2.1.5/include/freetype/internal/t1types.h	2004-05-13 15:39:00.000000000 +0100
@@ -108,14 +108,14 @@
     FT_Byte**        charstrings;       /* array of glyph charstrings */
     FT_Int*          charstrings_len;
 
-    FT_Byte*         paint_type;
+    FT_Byte          paint_type;
     FT_Byte          font_type;
     FT_Matrix        font_matrix;
     FT_Vector        font_offset;
     FT_BBox          font_bbox;
     FT_Long          font_id;
 
-    FT_Fixed*        stroke_width;
+    FT_Fixed         stroke_width;
 
   } T1_FontRec, *T1_Font;
 
diff -Nru tmp/freetype-2.1.5/src/type1/t1objs.c work/freetype-2.1.5/src/type1/t1objs.c
--- tmp/freetype-2.1.5/src/type1/t1objs.c	2003-07-25 23:09:53.000000000 +0100
+++ work/freetype-2.1.5/src/type1/t1objs.c	2004-05-13 15:39:15.000000000 +0100
@@ -229,9 +229,6 @@
       FT_FREE( type1->encoding.char_name );
       FT_FREE( type1->font_name );
 
-      FT_FREE( type1->paint_type );
-      FT_FREE( type1->stroke_width );
-
 #ifndef T1_CONFIG_OPTION_NO_AFM
       /* release afm data if present */
       if ( face->afm_data )

Hope this helps,

-- 
Adam Sampson <azz at us-lot.org>                        <http://offog.org/>