Bug 105084

Summary: Uninitialized memory leads to invalid free
Product: cairo Reporter: Federico Mena-Quintero <federico>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium CC: ht990332, public
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: cairo-105084.patch

Description Federico Mena-Quintero 2018-02-13 21:05:59 UTC 
Running this:

  CAIRO_TEST_TARGET=image libtool --mode=execute valgrind ./cairo-test-suite -f api-special-cases

Gets this:

TESTING api-special-cases
api-special-cases.image.argb32 [0x1]:   ==20255== Conditional jump or move depends on uninitialised value(s)
==20255==    at 0x4C2E271: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20255==    by 0x4EEEDAB: _cairo_ft_options_fini (cairo-ft-font.c:206)
==20255==    by 0x4EEEDAB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3163)
==20255==    by 0x4E63845: cairo_font_face_destroy (cairo-font-face.c:186)
==20255==    by 0x4EB1CC2: _cairo_toy_font_face_destroy (cairo-toy-font-face.c:371)
==20255==    by 0x4E63845: cairo_font_face_destroy (cairo-font-face.c:186)
==20255==    by 0x4E652C5: _cairo_gstate_fini (cairo-gstate.c:197)
==20255==    by 0x4E61AB5: _cairo_default_context_fini (cairo-default-context.c:75)
==20255==    by 0x4E61B28: _cairo_default_context_destroy (cairo-default-context.c:93)
==20255==    by 0x412BC8: draw (api-special-cases.c:1919)
==20255==    by 0x40E70A: cairo_test_for_target (cairo-test.c:933)
==20255==    by 0x40E70A: _cairo_test_context_run_for_target (cairo-test.c:1536)  
==20255==    by 0x40C038: _cairo_test_runner_draw (cairo-test-runner.c:255)
==20255==    by 0x40C038: main (cairo-test-runner.c:937)
==20255==  Uninitialised value was created by a heap allocation
==20255==    at 0x4C2D08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20255==    by 0x4EEEB42: _cairo_ft_font_face_create_for_pattern (cairo-ft-font.c:3250)
==20255==    by 0x4EEEEEF: _cairo_ft_font_face_create_for_toy (cairo-ft-font.c:3098)
==20255==    by 0x4EB1F5F: _cairo_toy_font_face_create_impl_face (cairo-toy-font-face.c:168)
==20255==    by 0x4EB1F5F: _cairo_toy_font_face_init (cairo-toy-font-face.c:197)  
==20255==    by 0x4EB1F5F: cairo_toy_font_face_create (cairo-toy-font-face.c:321) 
==20255==    by 0x4EB9B0C: cairo_select_font_face (cairo.c:3042)
==20255==    by 0x411B37: test_cairo_select_font_face (api-special-cases.c:654)   
==20255==    by 0x412950: test_context (api-special-cases.c:1833)
==20255==    by 0x412BB5: draw (api-special-cases.c:1917)
==20255==    by 0x40E70A: cairo_test_for_target (cairo-test.c:933)
==20255==    by 0x40E70A: _cairo_test_context_run_for_target (cairo-test.c:1536)  
==20255==    by 0x40C038: _cairo_test_runner_draw (cairo-test-runner.c:255)
==20255==    by 0x40C038: main (cairo-test-runner.c:937)

This is uninitialized memory from _cairo_ft_font_face_create_for_pattern()'s call to malloc().  It is not initializing font_face->ft_options.
Comment 1 Federico Mena-Quintero 2018-02-13 21:09:58 UTC 
Created attachment 137338 [details] [review]
cairo-105084.patch

I believe there's just a call missing to _get_pattern_ft_options() to initialize font_face->ft_options.  It may be good to factor out the initialization of font_face from _cairo_ft_font_face_create_for_pattern() and _cairo_ft_font_face_create(), since both malloc() and must initialize each field by hand.
Comment 2 Pavel Vinogradov 2018-03-05 22:32:00 UTC 
zathura segfaults when loading a document. The patch helps indeed. Thank you.
Comment 3 Federico Mena-Quintero 2018-03-09 02:12:40 UTC 
This is now commit 45e3b8f27179cf1130bfa61a09ef366fd313a0e1.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.