Dereferencing NULL when another allocation failed...
Migrated from: [SAVANNAH-58624]
Sebastian Rasmussen reported:
Further testing using a custom allocator and gcc ASAN 9.3.0 revealed that the fix for 58611 may cause a crash!
This is the gdb backtrace (relevant for Freetype) where the allocator returns NULL:
#1 (closed) 0x0000555555b1b2ae in ft_mem_qalloc (memory=0x621000002918, size=544, p_error=0x7fffffff8eb0)
at freetype/src/base/ftutil.c:76
#2 (closed) 0x0000555555b1b133 in ft_mem_alloc (memory=0x621000002918, size=544, p_error=0x7fffffff8f60)
at freetype/src/base/ftutil.c:55
#3 (closed) 0x0000555555b02b12 in FT_New_Size (face=0x61a000000688, asize=0x7fffffff90c0) at freetype/src/base/ftobjs.c:2836
#4 (closed) 0x0000555555b016b6 in ft_open_face_internal (library=0x614000000448, args=0x7fffffff9160, face_index=0, aface=0x7fffffff9270,
test_mac_fonts=1 '\001') at freetype/src/base/ftobjs.c:2575
#5 (closed) 0x0000555555b00bb6 in FT_New_Memory_Face (library=0x614000000448, file_base=0x62d00000a408 "true", file_size=23164,
face_index=0, aface=0x7fffffff9270) at freetype/src/base/ftobjs.c:1493
This is the corresponding backtrace where the crash occurs:
#1 (closed) 0x56285392ae3e in FT_New_Size freetype/src/base/ftobjs.c:2861
#2 (closed) 0x5628539296b5 in ft_open_face_internal freetype/src/base/ftobjs.c:2575
#3 (closed) 0x562853928bb5 in FT_New_Memory_Face freetype/src/base/ftobjs.c:1493
Looking at the source code (https://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/base/ftobjs.c#n2835)
it is obvious that `size' might not always have been successfully allocated
once execution reaches the Exit label, yet in the fix for 58611 I unconditionally
dereference `size->internal' when attempting to free it.
if ( FT_ALLOC( size, clazz->size_object_size ) || FT_NEW( node ) )
goto Exit,
/* ... */
Exit:
if ( error )
{
FT_FREE( node ),
FT_FREE( size->internal ),
FT_FREE( size ),
}
return error,
}
I will attach a patch for this shortly. Sorry to have added this bug. :-/