Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 6 Jul 2000 00:48:17 +0800 (SGT)
From:      twchan@singnet.com.sg
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   ports/19716: xfstt 1.1 core dumps on Courier New font and hangs X client
Message-ID:  <200007051648.AAA01323@tns02950.singnet.com.sg>
next in thread | raw e-mail | index | archive | help 

>Number:         19716
>Category:       ports
>Synopsis:       xfstt 1.1 core dumps on Courier New font and hangs X client
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 05 09:50:06 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Chan Tur Wei
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
>Environment:

 FreeBSD zargrok 4.0-STABLE FreeBSD 4.0-STABLE #5: Sun Jul  2 22:55:03 SGT 2000

 XFree86-3.3.6

>Description:
 
	xfstt core dumps at times, especially when trying to serve the
	regular "Courier New" font (COUR.TTF).  As a result, X clients
	trying to set the font will hang, and killing the hung clients
	brings down X.

	The problem is that xfstt calls realloc(), through its #define
	shrinkMem(), but neglects to adjust a pointer that used to
	point to memory within the old block.  A subsequent copying of
	that pointer then merrily SIGSEGV's the code.

>How-To-Repeat:

	1) Run xfstt.
	2) Start X.
	3) Run netscape (in my case, netscape-communicator-4.72).
	4) Set "Fixed width font" to "Courier New".
	5) Load a HTML page with Courier New, or easier yet, simply
	   "View Page Source".
	6) Netscape hangs, and xfstt dumps core in
	   /usr/X11R6/lib/X11/fonts/TrueType

>Fix:

	Fix up the memory pointer after the realloc().  The following
	patch does that:

--- xfstt.cpp   Sat Jul  1 10:53:55 2000
+++ xfstt.cpp.fixed     Sat Jul  1 10:55:11 2000
@@ -470,10 +470,12 @@
        raster->getFontExtent( &xfs->fe);
 
        int used = (xfs->fe.bitmaps + xfs->fe.bmplen) - xfs->fe.buffer;
+       int bmpoff = xfs->fe.bitmaps - xfs->fe.buffer;
        xfs->fe.buffer = (U8*)shrinkMem( xfs->fe.buffer, used);
-       if( xfs->fe.buffer)
+       if( xfs->fe.buffer) {
                xfs->fe.buflen = used;
-       else {
+               xfs->fe.bitmaps = xfs->fe.buffer + bmpoff;
+       } else {
                xfs->fid = 0;   //###
                xfs = 0;
        }


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007051648.AAA01323>