If compare->size is greater than glyph->size in FindGlyphRef at render/glyph.c:444, it could theoretically happen that memcmp reads beyond the end of glyph. This is by no means critical, but it always aborts X when compiled with a bounds-checking-patched gcc with -fbounds-checking.
- memcmp (&compare->info, &glyph->info, compare->size) == 0))
+ memcmp (&compare->info, &glyph->info, glyph->size < compare->size ? glyph->size : compare->size) == 0))
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
This is moot now. We use sha1 hashes of glyph contents to check for equality rather than comparing the bits directly, so the memcmp() is constant-sized now.