Hello,
I got a realloc error when running gnome-terminal with fontconfig-2.3.94:
*** glibc detected *** realloc(): invalid next size: 0x00000000005da780***
I did some debugging and found the implementation of FcObjectToPtrLookup
didn't check user_obj_alloc against l->ntypes properly, which caused the
the tail of _FcUserObjectNames being modified unexpectedly. I think
"user_obj_alloc < l->ntypes" in fcname.c:222 should be changed to "<=".
Also, we can't assume that the newly allocated pointer by realloc is the same
as the older one, so we can't use "l->types == _FcUserObjectNames" after
realloc.
Attached is the proposed patch, hoping it would be useful.
Best,
Ming
--- fcname.c.bak 2006-04-07 14:35:03.000000000 +0800
+++ fcname.c 2006-04-07 15:19:19.000000000 +0800
@@ -218,8 +218,9 @@
break;
}
+ FcBool replace = l && l->types == _FcUserObjectNames ? FcTrue : FcFalse;
if (!_FcUserObjectNames ||
- (l && l->types == _FcUserObjectNames && user_obj_alloc < l->ntypes))
+ (replace && user_obj_alloc <= l->ntypes))
{
int nt = user_obj_alloc + 4;
FcObjectType * t = realloc (_FcUserObjectNames,
@@ -230,7 +231,7 @@
user_obj_alloc = nt;
}
- if (l && l->types == _FcUserObjectNames)
+ if (replace)
{
n = l->ntypes;
FcNameUnregisterObjectTypesFree (l->types, l->ntypes, FcFalse);
@@ -244,7 +245,7 @@
{
if (l->types == _FcUserObjectNames)
{
- t = (FcObjectType *)l->types;
+ t = _FcUserObjectNames;
break;
}
}
_______________________________________________
Fontconfig mailing list
Fontconfig@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/fontconfig
