The AddGlyphs request of the Render extension (ProcRenderAddGlyphs(), around
line 1043 of xserver/render/render.c) doesn't seem to correctly handle the
case when the request includes more than one glyph. It calls AddGlyph() in a
loop, but doesn't update the arguments to the call, so it tries to add the
same glyph repeatedly, which causes trouble when AddGlyph tries to free the
"old" glyph for that position, which is really the same as the one as it is
trying to add. Two times through the loop gives you a dangling pointer, and
three times gives you a double free, which in my case caused malloc's internal
state to be corrupted so that a future call to malloc() hangs.
I'll attach a patch.
I also reported this to XFree86 as their bug #1276, though at the time I
didn't understand the cause. I presume this bug exists everywhere, but
Xsdl was helpful in debugging it.
Created attachment 156 [details] [review]
Patch to fix glyph adding loop
Thanks for the bugfix; it's in the xserver tree and I've placed a link to the
monolithic release metabug so we can evaluate it for that tree as well.
So, I'll leave this bug open until we've got the monolithic release patched.
Keith, could you please go ahead and commit the to the XORG-RELEASE-1
Closed by change log entry 64 in the CHANGELOG-RELEASE-1 file