xforms-development
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XForms] Bug Fix - fonts.c

From: Sunny
Subject: Re: [XForms] Bug Fix - fonts.c
Date: Fri, 11 Apr 2014 20:32:21 +0530 
>So it crashed for you too, but in a different way? I am using the
>-stable library so it crashed on the 10th or 13th call to
>fl_set_object_lsize().

Okay, I actually found the bug. The actual culprit for the double free
were the below lines:

        fs = k == -1 ? ( flx->fs ? flx->fs : defaultfs ) : flf->fs[ k ];

        /* If we did not get it this time, we won't get it next time either,
           so replace it with whatever we found  */

        flf->size[ flf->nsize ] = size;
        flf->fs[ flf->nsize ] = fs;
        flf->nsize++;

As you can see, this basically results in two pointer references for
the same XFontStruct. flf->fs[k] and flf->fs[flf->nsize] refer to the
same object.

Later on, the library frees them by looping from 0 to flf->nsize. So
it frees flf->fs[k], which is correct but then also attempts to free
flf->fs[ flf->nsize ] which results in the crash (as it refers to
flf->fs[k].

The below is the diff I got from git - it looks odd so let me know if
I need to repost it. I basically added a #if 0... #endif to the wrong
code and introduced some safe checks. The last ditch attempt for fs is
now this:
        fs = flx->fs ? flx->fs : defaultfs;

Yes, I tested the thing. It does stop the crashing I experienced;

@@ -323,17 +335,17 @@ try_get_font_struct( int numb,
             fs = flf->fs[ i ];
 #if FL_DEBUG >= ML_DEBUG
             M_debug( "try_get_font_struct", "Cache hit: %s",
-                     fl_cur_fontname );
+                     fli_curfnt );
 #endif
         }

     /* If requested font is not found or cache is full, get the destination
        cache for this size */

-    if ( ! fs && flf->nsize == FL_MAX_FONTSIZES )
+    if ( ! fs && flf->nsize >= FL_MAX_FONTSIZES )
     {
         XFreeFont( flx->display, flf->fs[ FL_MAX_FONTSIZES - 1 ] );
-        flf->nsize--;
+        flf->nsize = FL_MAX_FONTSIZES - 1;
     }

     /* Font is not cached, try to load it */
@@ -356,6 +368,10 @@ try_get_font_struct( int numb,
     /* Didn't get it. Try to find a substitute */

     if ( ! fs )
+        fs = flx->fs ? flx->fs : defaultfs;
+
+#if 0
+    if ( ! fs )
     {
         int mdiff = 1000,
             k = -1;
@@ -382,6 +398,7 @@ try_get_font_struct( int numb,
         flf->fs[ flf->nsize ] = fs;
         flf->nsize++;
     }
+#endif

     /* Here we are guranteed a valid font handle although there is no
        gurantee the font handle corresponds to the font requested */
reply via email to
[Prev in Thread] Current Thread [Next in Thread]