[Fontconfig] Missing FcValueSave() in FcConfigEvaluate() (KDE bug
#119108)
Lubos Lunak
l.lunak at suse.cz
Mon Jan 2 08:52:56 PST 2006
Hello,
please review the attached patch. It should fix a fontconfig crash triggered
by a Qt patch that should improve font loading performance
(FcFontSort->FcFontMatch, but that should be actually irrelevant). A Valgrind
log for the crash is attached, it's a double free.
Now, I actually don't have any simple testcase or a good understanding of
those strange things done in fontconfig, but I have the patch :). As the
patch seems to be rather simple and obvious, I hope we can skip this
complicated step.
If I'm getting it right, FcConfigEvaluate() always allocates its result,
which should be somewhen later freed. It itself does so e.g. in the
FcOpOr..FcOpDivide cases, where it recursively calls itself. In the FcOpField
case it calls FcPatternGet(), which however doesn't seem to create a copy of
the value, it only calls FcValueCanonicalize() and assigns the value. This
specific crash seems to happen only for type FcTypeMatrix.
If the patch is ok, please apply it. Otherwise I'll try to elaborate more on
the problem or try to create a testcase.
--
Lubos Lunak
KDE developer
---------------------------------------------------------------------
SuSE CR, s.r.o. e-mail: l.lunak at suse.cz , l.lunak at kde.org
Drahobejlova 27 tel: +420 2 9654 2373
190 00 Praha 9 fax: +420 2 9654 2374
Czech Republic http://www.suse.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fccfg.c.patch
Type: text/x-diff
Size: 364 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/fontconfig/attachments/20060102/e5a586e7/fccfg.c.bin
-------------- next part --------------
==19365== Invalid free() / delete / delete[]
==19365== at 0x1B9003C3: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==19365== by 0x1B92070A: FcMatrixFree (fcmatrix.c:52)
==19365== by 0x1B922642: FcValueListDestroy (fcpat.c:160)
==19365== by 0x1B911923: FcConfigDel (fccfg.c:1216)
==19365== by 0x1B911A00: FcConfigPatternDel (fccfg.c:1249)
==19365== by 0x1B911F3E: FcConfigSubstituteWithPat (fccfg.c:1423)
==19365== by 0x1B91F7D4: FcFontRenderPrepare (fcmatch.c:501)
==19365== by 0x1B91FD7A: FcFontSetMatch (fcmatch.c:696)
==19365== by 0x1B91FE15: FcFontMatch (fcmatch.c:718)
==19365== by 0x42E158AD: XftFontMatch (in /usr/X11R6/lib/libXft.so.2.1.2)
==19365== by 0x1BEC6D8D: loadFontConfigFont(QFontPrivate const*, QFontDef const&, QFont::Script) (qfontdatabase_x11.cpp:1895)
==19365== by 0x1BEC753B: QFontDatabase::findFont(QFont::Script, QFontPrivate const*, QFontDef const&, int) (qfontdatabase.cpp:981)
==19365== Address 0x1C3F32D0 is 0 bytes inside a block of size 32 free'd
==19365== at 0x1B9003C3: free (in /usr/lib/valgrind/vgpreload_memcheck.so)
==19365== by 0x1B92070A: FcMatrixFree (fcmatrix.c:52)
==19365== by 0x1B922328: FcValueDestroy (fcpat.c:78)
==19365== by 0x1B910B8E: FcConfigEvaluate (fccfg.c:962)
==19365== by 0x1B911509: FcConfigValues (fccfg.c:1113)
==19365== by 0x1B911D83: FcConfigSubstituteWithPat (fccfg.c:1362)
==19365== by 0x1B91F7D4: FcFontRenderPrepare (fcmatch.c:501)
==19365== by 0x1B91FD7A: FcFontSetMatch (fcmatch.c:696)
==19365== by 0x1B91FE15: FcFontMatch (fcmatch.c:718)
==19365== by 0x42E158AD: XftFontMatch (in /usr/X11R6/lib/libXft.so.2.1.2)
==19365== by 0x1BEC6D8D: loadFontConfigFont(QFontPrivate const*, QFontDef const&, QFont::Script) (qfontdatabase_x11.cpp:1895)
==19365== by 0x1BEC753B: QFontDatabase::findFont(QFont::Script, QFontPrivate const*, QFontDef const&, int) (qfontdatabase.cpp:981)
More information about the Fontconfig
mailing list