Bug 4110

Summary: Crash when creating font face from a FreeType face
Product: cairo Reporter: Jürg Billeter <j>
Component: freetype font backendAssignee: Owen Taylor <otaylor>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: high CC: kworsnop, mitch, v.merkatz
Version: 0.9.3   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Proposed patch
Fix hashing problem by generatign a random number when filename is NULL
Don't call _cairo_ft_unscaled_font_init_key in the from_face case.

Description Jürg Billeter 2005-08-16 06:19:40 UTC 
cairo_ft_font_create_for_ft_face results in a call to
_cairo_ft_unscaled_font_init with filename == NULL. _cairo_ft_unscaled_font_init
calls _cairo_ft_unscaled_font_init_key which calls _cairo_hash_string with the
NULL filename parameter, resulting in a crash when trying to dereference the
NULL pointer.

Happens e.g. when opening a PDF file with evince 0.3.3, poppler 0.4.0, and cairo
0.9.2
Comment 1 Jürg Billeter 2005-08-16 06:21:50 UTC 
Created attachment 2892 [details] [review]
Proposed patch
Comment 2 Carl Worth 2005-08-16 09:40:47 UTC 
That patch is definitely not the whole answer here.

That would leave the filename/id fields of the cairo_ft_unscaled_font
uninitialized which would lead to random hashing.
Comment 3 Carl Worth 2005-08-16 11:42:28 UTC 
*** Bug 4113 has been marked as a duplicate of this bug. ***
Comment 4 Jürg Billeter 2005-08-16 11:52:32 UTC 
Somehow wrongly assumed the filename/id fields were already initialized to
NULL/0 and that this would prevent hashing.

Would adding a (filename != NULL) check around the hash part in
_cairo_ft_unscaled_font_init_key suffice? Or are there any code parts assuming
that the hash is always valid, even with a NULL filename?
Comment 5 Joe Marcus Clarke 2005-08-16 11:53:56 UTC 
Created attachment 2899 [details] [review]
Fix hashing problem by generatign a random number when filename is NULL

This was inspired by comments in the dup bug.  This patch creates a weak random
number (I don't think it needs to be that strong) when the filename argument is
NULL.  Works for us on FreeBSD.
Comment 6 Carl Worth 2005-08-16 12:45:50 UTC 
Created attachment 2900 [details] [review]
Don't call _cairo_ft_unscaled_font_init_key in the from_face case.

I misspoke slightly. The only time filename can be NULL is the from_face
case which means we won't ever be hashing, so in that sense it doesn't
matter what the values of the filename/id and hash_entry.hash are.

But we do need to always initialize filename as it is examined in
_cairo_ft_unscaled_font_fini. This patch clears filename/id in the
from_face case and calls the init_key code only in the !from_face
case.

Meanwhile, _cairo_hash_string should treat a NULL pointer identically
to a zero-length string I think. This patch also does this, which would
have been enough to fix the bug. It will no longer be hit in this code
path, but I think it's a reasonable fix in any case.

I'll be committing this to CVS soon, but I want to commit a failing test
case to the regression suite first.
Comment 7 Billy Biggs 2005-08-17 05:56:14 UTC 
*** Bug 4124 has been marked as a duplicate of this bug. ***
Comment 8 Carl Worth 2005-08-17 09:54:46 UTC 
I've added a test case that exercises the bug (test/ft-font-create-for-ft-face)
and committed the patch above.
Comment 9 Arwed v. Merkatz 2005-08-20 09:29:08 UTC 
*** Bug 4155 has been marked as a duplicate of this bug. ***
Comment 10 Carl Worth 2005-08-22 17:14:23 UTC 
Move bugs against "cvs" version to "0.9.3" so we can remove the "cvs" version.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.