Details
[Home]
Issue of the Implementation # S0797
Brief
Operations with some Type 42 fonts cause invalid free()
Detailed Description
When working with a Type 42 font FreeMono.t42, invalid free() occurs in FT_Done_Face(). The attached example demonstrates this. This problem does not show up for some other Type 42 fonts.
FreeMono.t42 font was created using FontForge system (http://fontforge.sourceforge.net/) by converting FreeMono.ttf font (http://ftp.gnu.org/gnu/freefont/) to Type 42.
The issue described here also exists in Freetype2 version of 2009.04.30 (the latest one at the time of reporting), taken from the Freetype2 git-repository.
Executing the example program under Valgrind's MemCheck gives the following:==10238== Invalid free() / delete / delete[] ==10238== at 0x4C265AF: free (vg_replace_malloc.c:323) ==10238== by 0x4E3903E: ft_free (ftsystem.c:158) ==10238== by 0x4E45D6A: ft_mem_free (ftutil.c:171) ==10238== by 0x4E7A4EF: T42_Face_Done (t42objs.c:407) ==10238== by 0x4E3C27C: destroy_face (ftobjs.c:865) ==10238== by 0x4E3E01F: FT_Done_Face (ftobjs.c:2227) ==10238== by 0x4008C8: main (sample_t42.c:41) ==10238== Address 0x5660000 is not stack'd, malloc'd or (recently) free'd
The failure in t42objs.c file occurs when FT_FREE (info->version) is called.
Debugging the program showed that the fields of the structure info look reasonable except info->version. The latter field should contain a pointer to FT_String but actually it contains an invalid address value and that results in invalid free().
That is, perhaps there might be a problem in loading of the font rather than in T42_Face_Done() itself.
Executing ftview example for FreeMono.t42 font results in a crash for the same reason. Analysis carried out here using Valgrind gives the same data as listed above.
Problem location(s) in the standard
Linux Standard Base Desktop Specification 3.2, Chapter 12. Libraries, 12.1 Interfaces for libfreetype that refers FreeType-2.1.10 API Reference
Component
freetype 2.3.9
Accepted
Status
Fixed in freetype 2.3.10
[Home]