RE: [Devel] NT crash in psaux

freetype-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Devel] NT crash in psaux

From:	Blinn, Eric W
Subject:	RE: [Devel] NT crash in psaux
Date:	Wed, 31 Jan 2001 16:59:45 -0600

Okay, I finally found a consistent way to reproduce this in our application.
Since then I've started making some progress.  Unfortunately, I have to
leave for the day so I'm setting it aside until tomorrow.  However, let me
summarize what I know in case somebody want to continue looking into it
today...

What really leads to this crash is that when we get into PS_Table_Add(), we
pass in "table" and "object".  Sometimes table->block and object point to
the same piece of memory.  I haven't backtracked yet to see how we've gotten
ourselves into this messy state.  The bottom line is that if table->cursor +
length is greater than table->capacity, then we end up doing a realloc() on
table.  If realloc() can't increase the existing memory chunk, then it will
free it (leaving pointer object dangling) and malloc a new block of the
desired size.  Then we go on to do the MEM_Copy() a few lines later, at
which point NT/VC++ chokes when we try to read the unallocated memory object
is still pointing at.


> -----Original Message-----
> From: Werner LEMBERG [mailto:address@hidden
> Sent: Wednesday, January 31, 2001 1:35 PM
> To: address@hidden
> Cc: address@hidden
> Subject: Re: [Devel] NT crash in psaux
> 
> 
> 
> > The crash happens when PS_Table_Add() calls MEM_Copy() with a
> > "source" argument (variable name object) pointing to memory that has
> > already been freed.  This results in a free memory read and a crash
> > on NT/VC++.  I also work on DEC OSF/1 with the native DEC compiler,
> > but we don't crash there presumably because the platform let's us
> > get away with reading unallocated memory.
> 
> It seems to me that `reallocate_t1_table()' is buggy: It reallocates
> `table->block' (saving its old address in `old_base'), then calls
> `shift_elements()', using `old_base'.
> 
> IIRC it is not guaranteed that a newly allocated memory block (in case
> realloc() doesn't increase the old one) doesn't overlap with the old
> block, so shift_elements() will cause trouble.  Additionally, the
> memory pointed to by `old_base' is no longer valid in this case.
> 
> 
>     Werner
> 
> _______________________________________________
> Devel mailing list
> address@hidden
> http://www.freetype.org/mailman/listinfo/devel
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Devel] NT crash in psaux, Blinn, Eric W, 2001/01/30
- Re: [Devel] NT crash in psaux, Werner LEMBERG, 2001/01/31
- RE: [Devel] NT crash in psaux, Blinn, Eric W <=

Prev by Date: Re: [Devel] NT crash in psaux
Next by Date: [Devel] Re: Comments on Microsoft ClearType technology
Previous by thread: Re: [Devel] NT crash in psaux
Next by thread: [Devel] Comments on Microsoft ClearType technology (fwd)
Index(es):
- Date
- Thread