https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Bug ID: 2104570
Summary: Multiple wild free when gzip and plain svgDoc are
mixed in font.
Product: Fedora
Version: 36
Hardware: All
OS: All
Status: NEW
Component: freetype
Severity: high
Assignee: mka...@redhat.com
Reporter: bunge...@chromium.org
QA Contact: extras...@fedoraproject.org
CC: a...@redhat.com, caillon+fedoraproj...@gmail.com,
fonts-bugs@lists.fedoraproject.org,
gnome-...@lists.fedoraproject.org, mcla...@redhat.com,
mka...@redhat.com, rstr...@redhat.com,
sandm...@redhat.com
Target Milestone: ---
Link ID: freedesktop.org Gitlab freetype/freetype/-/issues/1162
Classification: Fedora
Description of problem:
With FreeType commit f93a897afedf4a634c74d3d2871519e675ee0d83 (which was
released in FreeType 2.12.0) support for OT-SVG was added. However, this
implementation contained a bug where if the `SVG ` table contained a mix of
compressed and uncompressed documents the uncompressed documents may be free'd
every time they are used. In general these documents were not malloc'ed so this
was also a wild free.
This issue has been fixed upstream with FreeType commit
c26872ed59cba3af2f407b5eefc92fcec92aa52b "[svg] Clear correct flags for doc
ownership" which landed after 2.12.1 was released (this commit is not yet in a
tagged release). The patch itself is almost trivial:
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index eeda69c3e..f66273f3d 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -605,7 +605,7 @@
FT_FREE( doc->svg_document );
- slot->internal->load_flags &= ~FT_GLYPH_OWN_GZIP_SVG;
+ slot->internal->flags &= ~FT_GLYPH_OWN_GZIP_SVG;
}
}
#endif
This should be applied to the freetype-2.12.1-1 packages currently in 36 and
37.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013094 where this
was
reported and fixed in debian.
Version-Release number of selected component (if applicable): Fedora 36 and 37
How reproducible: The upstream issue tracker [0] has an attached
font which usually crashes in FreeType when trying to use it.
Steps to Reproduce:
1. Download SampleSVG.ttf from [0].
2. Compile the FreeType demos with OT-SVG support.
3. Use SampleSVG.ttf.
Actual results:
At best a crash with glibc reporting an invalid free. At worst a wild free.
Expected results:
No crash, no wild free.
Additional info:
[0] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1162
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
_______________________________________________
fonts-bugs mailing list -- fonts-bugs@lists.fedoraproject.org
To unsubscribe send an email to fonts-bugs-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/fonts-bugs@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
