[ft-devel] ttfautohint: freeing invalid pointer on composite glyph in TA_sfnt_build_delta_exceptions()

[Nikolaus Waxweiler]

Hi list,
we stumbled over the following issue that is present since at least 1.7:

1. Unzip test.zip
2. fontmake -u test.ufo/ -o ttf
3. ttfautohint -l 8 -r 50 -G 50 -x 14 -D latn -f latn -m test.ctrl -w G 
-X "" master_ttf/.ttf test.ttf --symbol

The program aborts with "munmap_chunk(): invalid pointer" at 
tabytecode.c:1130, which is "free(delta_before_IUP_args[i])". `i` always 
seems to be 4 here.

(gdb) print *(delta_before_IUP_args[4])
$6 = 207

(gdb) print num_delta_before_IUP_args
$7 = {0, 0, 0, 22, 0, 0}


The values in the control file are arbitrary, and the crash happens on a 
composite glyph that just references another.


Backtrace:
#0  0x00007ffff635f66b in raise () from /lib64/libc.so.6
#1  0x00007ffff6361381 in abort () from /lib64/libc.so.6
#2  0x00007ffff63a9a57 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff63b09aa in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ffff63b9224 in free () from /lib64/libc.so.6
#5  0x00007ffff7ba0bf9 in TA_sfnt_build_delta_exceptions (
    sfnt=<optimized out>, sfnt=<optimized out>, bufp=0x6bbe23 "", idx=79,
    font=<optimized out>) at tabytecode.c:1130
#6  TA_sfnt_build_glyph_instructions (address@hidden,
    address@hidden, address@hidden) at tabytecode.c:3017
#7  0x00007ffff7bb104b in TA_sfnt_build_glyf_hints (font=0x6264a0,
    sfnt=0x639b10) at taglyf.c:39
#8  TA_sfnt_build_glyf_table (address@hidden,
    address@hidden) at taglyf.c:835
#9  0x00007ffff7bbf88b in TTF_autohint (options=<optimized out>,
    address@hidden "in-file, out-file, 
control-file,reference-file, reference-index, 
reference-name,hinting-range-min, hinting-range-max, 
hinting-limit,gray-stem-width-mode, 
gdi-cleartype-stem-width-mode,dw-cleartype-ste"...)
    at ttfautohint.c:737
#10 0x0000000000402901 in main (argc=<optimized out>, argv=<optimized out>)
    at main.cpp:1507

test.zip
Description: Zip archive