Commit 2c8530bd3d61badeeeadaf120079c00084936d88
2003-06-30T13:08:58
2003-06-25 Owen Taylor <otaylor@redhat.com> * src/sfnt/ttload.c (tt_face_load_hdmx): Don't assign num_records until we actually decide to load the table, otherwise, we'll segfault in tt_face_free_hdmx.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
diff --git a/ChangeLog b/ChangeLog
index 9756542..fc5d998 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2003-06-25 Owen Taylor <otaylor@redhat.com>
+
+ * src/sfnt/ttload.c (tt_face_load_hdmx): Don't assign
+ num_records until we actually decide to load the table,
+ otherwise, we'll segfault in tt_face_free_hdmx.
+
2003-06-24 Werner Lemberg <wl@gnu.org>
* src/cff/cffdrivr.c (cff_get_glyph_name): Protect agains zero
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index bea78d4..13b7e86 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -1776,6 +1776,7 @@
FT_Memory memory = stream->memory;
TT_Hdmx hdmx = &face->hdmx;
+ FT_Short num_records;
FT_Long num_glyphs;
FT_Long record_size;
@@ -1793,7 +1794,7 @@
goto Exit;
hdmx->version = FT_GET_USHORT();
- hdmx->num_records = FT_GET_SHORT();
+ num_records = FT_GET_SHORT();
record_size = FT_GET_LONG();
FT_FRAME_EXIT();
@@ -1802,9 +1803,10 @@
if ( hdmx->version != 0 )
goto Exit;
- if ( FT_NEW_ARRAY( hdmx->records, hdmx->num_records ) )
+ if ( FT_NEW_ARRAY( hdmx->records, num_records ) )
goto Exit;
+ hdmx->num_records = num_records;
num_glyphs = face->root.num_glyphs;
record_size -= num_glyphs + 2;