cairo_ft_font_create_for_ft_face results in a call to _cairo_ft_unscaled_font_init with filename == NULL. _cairo_ft_unscaled_font_init calls _cairo_ft_unscaled_font_init_key which calls _cairo_hash_string with the NULL filename parameter, resulting in a crash when trying to dereference the NULL pointer. Happens e.g. when opening a PDF file with evince 0.3.3, poppler 0.4.0, and cairo 0.9.2
Created attachment 2892 [details] [review] Proposed patch
That patch is definitely not the whole answer here. That would leave the filename/id fields of the cairo_ft_unscaled_font uninitialized which would lead to random hashing.
*** Bug 4113 has been marked as a duplicate of this bug. ***
Somehow wrongly assumed the filename/id fields were already initialized to NULL/0 and that this would prevent hashing. Would adding a (filename != NULL) check around the hash part in _cairo_ft_unscaled_font_init_key suffice? Or are there any code parts assuming that the hash is always valid, even with a NULL filename?
Created attachment 2899 [details] [review] Fix hashing problem by generatign a random number when filename is NULL This was inspired by comments in the dup bug. This patch creates a weak random number (I don't think it needs to be that strong) when the filename argument is NULL. Works for us on FreeBSD.
Created attachment 2900 [details] [review] Don't call _cairo_ft_unscaled_font_init_key in the from_face case. I misspoke slightly. The only time filename can be NULL is the from_face case which means we won't ever be hashing, so in that sense it doesn't matter what the values of the filename/id and hash_entry.hash are. But we do need to always initialize filename as it is examined in _cairo_ft_unscaled_font_fini. This patch clears filename/id in the from_face case and calls the init_key code only in the !from_face case. Meanwhile, _cairo_hash_string should treat a NULL pointer identically to a zero-length string I think. This patch also does this, which would have been enough to fix the bug. It will no longer be hit in this code path, but I think it's a reasonable fix in any case. I'll be committing this to CVS soon, but I want to commit a failing test case to the regression suite first.
*** Bug 4124 has been marked as a duplicate of this bug. ***
I've added a test case that exercises the bug (test/ft-font-create-for-ft-face) and committed the patch above.
*** Bug 4155 has been marked as a duplicate of this bug. ***
Move bugs against "cvs" version to "0.9.3" so we can remove the "cvs" version.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.