10:58 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Bug ID: 2104570
Summary: Multiple wild free when gzip and plain svgDoc are
mixed in font.
Product: Fedora
Version: 36
Hardware: All
OS: All
Status: NEW
Component: freetype
Severity: high
Assignee: mkasik(a)redhat.com
Reporter: bungeman(a)chromium.org
QA Contact: extras-qa(a)fedoraproject.org
CC: ajax(a)redhat.com, caillon+fedoraproject(a)gmail.com,
fonts-bugs(a)lists.fedoraproject.org,
gnome-sig(a)lists.fedoraproject.org, mclasen(a)redhat.com,
mkasik(a)redhat.com, rstrode(a)redhat.com,
sandmann(a)redhat.com
Target Milestone: ---
Link ID: freedesktop.org Gitlab freetype/freetype/-/issues/1162
Classification: Fedora
Description of problem:
With FreeType commit f93a897afedf4a634c74d3d2871519e675ee0d83 (which was
released in FreeType 2.12.0) support for OT-SVG was added. However, this
implementation contained a bug where if the `SVG ` table contained a mix of
compressed and uncompressed documents the uncompressed documents may be free'd
every time they are used. In general these documents were not malloc'ed so this
was also a wild free.
This issue has been fixed upstream with FreeType commit
c26872ed59cba3af2f407b5eefc92fcec92aa52b "[svg] Clear correct flags for doc
ownership" which landed after 2.12.1 was released (this commit is not yet in a
tagged release). The patch itself is almost trivial:
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index eeda69c3e..f66273f3d 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -605,7 +605,7 @@
FT_FREE( doc->svg_document );
- slot->internal->load_flags &= ~FT_GLYPH_OWN_GZIP_SVG;
+ slot->internal->flags &= ~FT_GLYPH_OWN_GZIP_SVG;
}
}
#endif
This should be applied to the freetype-2.12.1-1 packages currently in 36 and
37.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013094 where this
was
reported and fixed in debian.
Version-Release number of selected component (if applicable): Fedora 36 and 37
How reproducible: The upstream issue tracker [0] has an attached
font which usually crashes in FreeType when trying to use it.
Steps to Reproduce:
1. Download SampleSVG.ttf from [0].
2. Compile the FreeType demos with OT-SVG support.
3. Use SampleSVG.ttf.
Actual results:
At best a crash with glibc reporting an invalid free. At worst a wild free.
Expected results:
No crash, no wild free.
Additional info:
[0] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1162
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
8:27 a.m.
New subject: [Bug 2104570] Multiple wild free when gzip and plain svgDoc are
mixed in font.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |MODIFIED
--- Comment #1 from Fedora Update System <updates(a)fedoraproject.org> ---
FEDORA-2022-22a59ada07 has been submitted as an update to Fedora 36.
https://bodhi.fedoraproject.org/updates/FEDORA-2022-22a59ada07
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
8:28 a.m.
New subject: [Bug 2104570] Multiple wild free when gzip and plain svgDoc are
mixed in font.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Marek Kašík <mkasik(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Doc Type|--- |If docs needed, set a value
--- Comment #2 from Marek Kašík <mkasik(a)redhat.com> ---
Hi Ben,
thank you for the report. I've pushed your fix to Fedora 36 and Fedora 37.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
8:13 p.m.
New subject: [Bug 2104570] Multiple wild free when gzip and plain svgDoc are
mixed in font.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|MODIFIED |ON_QA
--- Comment #3 from Fedora Update System <updates(a)fedoraproject.org> ---
FEDORA-2022-22a59ada07 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh
--advisory=FEDORA-2022-22a59ada07`
You can provide feedback for this update here:
https://bodhi.fedoraproject.org/updates/FEDORA-2022-22a59ada07
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information
on how to test updates.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
8:58 p.m.
New subject: [Bug 2104570] Multiple wild free when gzip and plain svgDoc are
mixed in font.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
Fedora Update System <updates(a)fedoraproject.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |ERRATA
Status|ON_QA |CLOSED
Fixed In Version| |freetype-2.12.1-2.fc36
Last Closed| |2022-07-13 01:58:44
--- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> ---
FEDORA-2022-22a59ada07 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104570
659
days inactive
666
days old
fonts-bugs@lists.fedoraproject.org
4 comments
1 participants
participants (1)
-
bugzilla@redhat.com