The AddGlyphs request of the Render extension (ProcRenderAddGlyphs(), around line 1043 of xserver/render/render.c) doesn't seem to correctly handle the case when the request includes more than one glyph. It calls AddGlyph() in a loop, but doesn't update the arguments to the call, so it tries to add the same glyph repeatedly, which causes trouble when AddGlyph tries to free the "old" glyph for that position, which is really the same as the one as it is trying to add. Two times through the loop gives you a dangling pointer, and three times gives you a double free, which in my case caused malloc's internal state to be corrupted so that a future call to malloc() hangs. I'll attach a patch. I also reported this to XFree86 as their bug #1276, though at the time I didn't understand the cause. I presume this bug exists everywhere, but Xsdl was helpful in debugging it.
Created attachment 156 [details] [review] Patch to fix glyph adding loop
Thanks for the bugfix; it's in the xserver tree and I've placed a link to the monolithic release metabug so we can evaluate it for that tree as well. So, I'll leave this bug open until we've got the monolithic release patched.
Keith, could you please go ahead and commit the to the XORG-RELEASE-1 branch?
Closed by change log entry 64 in the CHANGELOG-RELEASE-1 file
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.