Another memory leak in the CFF parser...
Migrated from: [SAVANNAH-58629]
Sebastian Rasmussen reported:
Another memory leak was found in FreeType 2.10.0 using gcc 9.3.0 ASAN and a custom allocator that controls when malloc returns NULL.
This is the gdb backtrace (relevant for Freetype) where the allocator returns NULL:
#1 (closed) 0x0000555555b1b2b8 in ft_mem_qalloc (memory=0x621000002918, size=3952, p_error=0x7fffffffb400)
at freetype/src/base/ftutil.c:76
#2 (closed) 0x0000555555b1b13d in ft_mem_alloc (memory=0x621000002918, size=3952, p_error=0x7fffffffb4d0)
at freetype/src/base/ftutil.c:55
#3 (closed) 0x0000555555b96c9f in psh_globals_new (memory=0x621000002918, priv=0x7fffffffb5b0, aglobals=0x61d000001490)
at freetype/src/pshinter/pshglob.c:654
#4 (closed) 0x0000555555b45a01 in cff_size_init (cffsize=0x60b0000005c8) at freetype/src/cff/cffobjs.c:199
#5 (closed) 0x0000555555b02cae in FT_New_Size (face=0x61a000001288, asize=0x7fffffffb8c0) at freetype/src/base/ftobjs.c:2848
#6 (closed) 0x0000555555b016b6 in ft_open_face_internal (library=0x614000000448, args=0x7fffffffb960, face_index=0, aface=0x7fffffffba70,
test_mac_fonts=1 '\001') at freetype/src/base/ftobjs.c:2576
#7 (closed) 0x0000555555b00bb6 in FT_New_Memory_Face (library=0x614000000448, file_base=0x7ffff418f808 "\001", file_size=81718,
face_index=0, aface=0x7fffffffba70) at freetype/src/base/ftobjs.c:1494
This is the corresponding backtrace where the allocation of the data that leaks occurs:
#1 (closed) 0x558ae1ff02b7 in ft_mem_qalloc freetype/src/base/ftutil.c:76
#2 (closed) 0x558ae1ff013c in ft_mem_alloc freetype/src/base/ftutil.c:55
#3 (closed) 0x558ae206bc9e in psh_globals_new freetype/src/pshinter/pshglob.c:654
#4 (closed) 0x558ae201a82d in cff_size_init freetype/src/cff/cffobjs.c:188
#5 (closed) 0x558ae1fd7cad in FT_New_Size freetype/src/base/ftobjs.c:2848
#6 (closed) 0x558ae1fd66b5 in ft_open_face_internal freetype/src/base/ftobjs.c:2576
#7 (closed) 0x558ae1fd5bb5 in FT_New_Memory_Face freetype/src/base/ftobjs.c:1494
Looking at the source code (https://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/cff/cffobjs.c#n187)
shows that if the first call to funcs->create() successfully allocates internal->topfont
and a succeeding call to funcs->create() fails to allocate internal->subfonts[i]
then internal->topfont (and any successful allocations of internal->subfonts[i])
will leak.
I shall return with a patch that I believe fixes this problem.