zombie ft_font_face / ft_unscaled_font mutual referencing problems
Submitted by Karl Tomlinson
Assigned to David Turner
Description
There can be more than one zombie font_face belonging to an unscaled_font, but only the first is destroyed:
http://cgit.freedesktop.org/cairo/tree/src/cairo-ft-font.c#n544
This leaks the client's FT_Face (and associated font data) as release of the FT_Face depends on release of the font_face.
(The reason why Firefox ends up with two different font_faces for one unscaled_font is that load_flags for faces with artificial oblique have FT_LOAD_NO_BITMAP set. https://bugzilla.mozilla.org/show_bug.cgi?id=486974)
Also it's possible for _cairo_ft_font_face_create to pull out a zombie font_face from the unscaled_font, which would crash _cairo_ft_font_face_scaled_font_create, as that expects non-null font_face->unscaled (if !font-face->pattern).
Version: 1.9.1