"James H. Cloos Jr." <cloos@xxxxxxxxxxx> writes: > It seems that /usr/share/fonts/default/Type1/n0190041.pfb -- > NimbusSanL-Bold was to blame. Moving that file out of fc's paths > allowed everything to work again. Argh! I'd run into this a couple of weeks ago after some upgrades, but since I had my head buried in project work at the time I'd just removed that directory from my font path, intending to come back later... This is on my homebrew x86 Linux system, which is Gentoo-ish in that I'm using bleeding-edge versions of pretty much everything. Running it under valgrind, it looks like FreeType calling free() on an invalid pointer: ==30276== 9 errors in context 1 of 2: ==30276== Invalid free() / delete / delete[] ==30276== at 0x3C01E908: free (vg_replace_malloc.c:127) ==30276== by 0x3C07831C: ft_free (ftsystem.c:157) ==30276== by 0x3C0786C9: FT_Free (ftutil.c:134) ==30276== by 0x3C0B7B7E: T1_Face_Done (t1objs.c:233) ==30276== by 0x3C07BEF0: destroy_face (ftobjs.c:695) ==30276== by 0x3C07C302: FT_Done_Face (ftobjs.c:1838) ==30276== by 0x3C03310C: FcFreeTypeQuery (fcfreetype.c:917) ==30276== by 0x3C031972: FcFileScan (fcdir.c:113) ==30276== by 0x3C031E17: FcDirScan (fcdir.c:221) ==30276== by 0x8048DF7: scanDirs (fc-cache.c:166) ==30276== by 0x804919B: main (fc-cache.c:278) ==30276== Address 0x150000 is not stack'd, malloc'd or free'd [and another 9 with the same backtrace and:] ==30276== Address 0x1 is not stack'd, malloc'd or free'd This is while FreeType is freeing the paint_type field in a T1_Font structure, which is declared as an FT_Byte * but read using T1_FIELD_TYPE_INTEGER. This looks to me like a FreeType bug: T1_FIELD_TYPE_INTEGER expects to write into an FT_Byte, not an FT_Byte *, so that field (which I couldn't find any users of anyway!) shouldn't be a pointer, and shouldn't get freed. (font_type, immediately below it in the structure, is an FT_Byte that's read that way; stroke_width, the next FT_Free(), has the same problem.) I've changed both paint_type and stroke_fixed to not be pointers in T1_Font on my copy of freetype-2.1.5, and this seems to fix the problem, but this is the first time I've looked at the FreeType code, so it's possible I've just misunderstood something. If anyone else can confirm that my suspicions are correct, then I'll submit this to the FreeType people as a fix: diff -Nru tmp/freetype-2.1.5/include/freetype/internal/t1types.h work/freetype-2.1.5/include/freetype/internal/t1types.h --- tmp/freetype-2.1.5/include/freetype/internal/t1types.h 2003-05-30 10:12:47.000000000 +0100 +++ work/freetype-2.1.5/include/freetype/internal/t1types.h 2004-05-13 15:39:00.000000000 +0100 @@ -108,14 +108,14 @@ FT_Byte** charstrings; /* array of glyph charstrings */ FT_Int* charstrings_len; - FT_Byte* paint_type; + FT_Byte paint_type; FT_Byte font_type; FT_Matrix font_matrix; FT_Vector font_offset; FT_BBox font_bbox; FT_Long font_id; - FT_Fixed* stroke_width; + FT_Fixed stroke_width; } T1_FontRec, *T1_Font; diff -Nru tmp/freetype-2.1.5/src/type1/t1objs.c work/freetype-2.1.5/src/type1/t1objs.c --- tmp/freetype-2.1.5/src/type1/t1objs.c 2003-07-25 23:09:53.000000000 +0100 +++ work/freetype-2.1.5/src/type1/t1objs.c 2004-05-13 15:39:15.000000000 +0100 @@ -229,9 +229,6 @@ FT_FREE( type1->encoding.char_name ); FT_FREE( type1->font_name ); - FT_FREE( type1->paint_type ); - FT_FREE( type1->stroke_width ); - #ifndef T1_CONFIG_OPTION_NO_AFM /* release afm data if present */ if ( face->afm_data ) Hope this helps, -- Adam Sampson <azz@xxxxxxxxxx> <http://offog.org/>