Memory leak in cff_size_init() if other allocation fails...
Migrated from: [SAVANNAH-58610]
Sebastian Rasmussen reported:
A bug in a similar situation as #58609 was found in FreeType 2.10.0. This was found using gcc 9.3.0 ASAN and a custom allocator that lets me control when/where it will return NULL.
This is the gdb backtrace (relevant for Freetype) where the allocator returns NULL:
#1 (closed) 0x0000555555b1c2aa in ft_mem_qalloc (memory=0x621000002920, size=3952,
p_error=0x7fffffff8ec0) at freetype/src/base/ftutil.c:76
#2 (closed) 0x0000555555b1c12f in ft_mem_alloc (memory=0x621000002920, size=3952,
p_error=0x7fffffff8f90) at freetype/src/base/ftutil.c:55
#2 (closed) 0x0000555555b97c07 in psh_globals_new (memory=0x621000002920,
priv=0x7fffffff9070, aglobals=0x61d000000a90)
at freetype/src/pshinter/pshglob.c:654
#3 (closed) 0x0000555555b46820 in cff_size_init (cffsize=0x60b0000003c0)
at freetype/src/cff/cffobjs.c:187
#4 (closed) 0x0000555555b03caa in FT_New_Size (face=0x61a000000c90,
asize=0x7fffffff9380) at freetype/src/base/ftobjs.c:2847
#5 (closed) 0x0000555555b026b2 in ft_open_face_internal (library=0x614000000450,
args=0x7fffffff9420, face_index=0, aface=0x7fffffff9530,
test_mac_fonts=1 '\001') at freetype/src/base/ftobjs.c:2575
#6 (closed) 0x0000555555b01bb2 in FT_New_Memory_Face (library=0x614000000450,
file_base=0x55555668c7db "\001", file_size=34024, face_index=0,
aface=0x7fffffff9530) at freetype/src/base/ftobjs.c:1493
This is the corresponding backtrace where the allocation of the data that leaks occurs:
#1 (closed) 0x55750860f2a9 in ft_mem_qalloc freetype/src/base/ftutil.c:76
#2 (closed) 0x55750860f12e in ft_mem_alloc freetype/src/base/ftutil.c:55
#3 (closed) 0x557508639713 in cff_size_init freetype/src/cff/cffobjs.c:183
#4 (closed) 0x5575085f6ca9 in FT_New_Size freetype/src/base/ftobjs.c:2847
#5 (closed) 0x5575085f56b1 in ft_open_face_internal freetype/src/base/ftobjs.c:2575
#6 (closed) 0x5575085f4bb1 in FT_New_Memory_Face freetype/src/base/ftobjs.c:1493
By looking at the source code (https://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/cff/cffobjs.c#n182)
it is evident that internal is never freed if funcs->create() fails and
FreeType goto Exit.
if ( FT_NEW( internal ) )
goto Exit,
cff_make_private_dict( &font->top_font, &priv ),
error = funcs->create( cffsize->face->memory, &priv,
&internal->topfont ),
if ( error )
goto Exit,
/* ... */
Exit:
return error,
}
I will attach my proposed solution for this bug shortly. I have tested
this patch and I see no other leaks after applying it.