Package: fontforge
Version: 0.0.20070501-1
Severity: grave
Tags: patch
fontforge crashes on amd64 during compilation on ttf-dejavu package:
% ./generate.sh
Copyright (c) 2000-2007 by George Williams.
Executable based on sources from 13:10 1-May-2007.
Segmentation fault
This does not happen on i386, but given multiple errors from valgrind I
think it can crash with other fonts, generate incorrect output or do
other strange things.
The problem is in code like the following (from lookups.c):
if ( cnt>=tot )
lookups = grealloc(lookups,(tot++)*sizeof(uint32));
lookups[cnt] = 0;
Here there are two things:
1. lookups = grealloc(lookups,(tot++)*sizeof(uint32));
Befor those lines lookups was allocated as array of tot values, so
this line can be simplified to just:
tot++
This line gives no other results. And line that follows will write to
random parts of memory (but see #2).
2. In this part of code lookups is defined as array of pointers. Those
pointers are 64-bit on amd64. So this code will shrink allocated
memory. This point does not apply to other 2 instances of such code.
Attached patch fixes this problem by replacing tot++ by tot=cnt+1, so
next line will write to allocated memory. This patch also fixes
incorrect type for lookups array.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.21-me (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=uk_UA.UTF-8, LC_CTYPE=uk_UA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages fontforge depends on:
ii libc6 2.5-7 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libice6 1:1.0.3-2 X11 Inter-Client Exchange library
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libsm6 1:1.0.2-2 X11 Session Management library
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libungif4g 4.1.4-4 shared library for GIF images
ii libuninameslist0 0.0.20060907-2 a library of Unicode annotation da
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxml2 2.6.28.dfsg-1 GNOME XML library
ii python2.4 2.4.4-4 An interactive high-level object-o
ii zlib1g 1:1.2.3-13 compression library - runtime
fontforge recommends no packages.
-- no debconf information
Index: fontforge/fontforge/lookups.c
===================================================================
--- fontforge/fontforge/lookups.c.orig 2007-05-08 20:33:22.000000000 +0200
+++ fontforge/fontforge/lookups.c 2007-05-08 20:34:13.000000000 +0200
@@ -187,7 +187,7 @@
qsort(scripts,cnt,sizeof(uint32),uint32_cmp);
/* add a 0 entry to mark the end of the list */
if ( cnt>=tot )
- scripts = grealloc(scripts,(tot++)*sizeof(uint32));
+ scripts = grealloc(scripts,(tot=cnt+1)*sizeof(uint32));
scripts[cnt] = 0;
return( scripts );
}
@@ -259,7 +259,7 @@
qsort(langs,cnt,sizeof(uint32),lang_cmp);
/* add a 0 entry to mark the end of the list */
if ( cnt>=tot )
- langs = grealloc(langs,(tot++)*sizeof(uint32));
+ langs = grealloc(langs,(tot=cnt+1)*sizeof(uint32));
langs[cnt] = 0;
return( langs );
}
@@ -373,7 +373,7 @@
/* lookup order is irrelevant here. might as well leave it in invocation order */
/* add a 0 entry to mark the end of the list */
if ( cnt>=tot )
- lookups = grealloc(lookups,(tot++)*sizeof(uint32));
+ lookups = grealloc(lookups,(tot=cnt+1)*sizeof(OTLookup *));
lookups[cnt] = 0;
return( lookups );
}
