Crash in CFF parser if string allocation fails...
Migrated from: [SAVANNAH-58630]
Sebastian Rasmussen reported:
I saw a crash in cff_face_init() when it was dereferencing a NULL pointer.
By looking at the source code (https://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/cff/cffobjs.c#n944) I noticed that the problem was that cff_strcpy() returned NULL when the internal allocation failed. This style_name being NULL was then fed into remove_style()...
style_name = cff_strcpy( memory, fullp ),
/* ... */
remove_style( cffface->family_name, style_name ),
... which if you look at its source code (https://git.savannah.gnu.org/cgit/freetype/freetype2.git/tree/src/cff/cffobjs.c#n457)
passes the style_name directly to ft_strlen() which does not handle
NULL:
style_name_length = (FT_Int32)ft_strlen( style_name ),
I have unfortunately lost the backtraces for this issue, but if you really need them I can try to reproduce this. My hope is that the issue in the code is clear enough to be patched without having to dig around for them.