kc3-lang/freetype

diff --git a/ChangeLog b/ChangeLog
index ac0ad57..2b3307d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2010-09-17  suzuki toshiya  <mpsuzuki@hiroshima-u.ac.jp>
+
+	[truetype] Don't duplicate size->twilight structure to be freed.
+
+	* src/truetype/ttinterp.c (free_buffer_in_size): Don't duplicate
+	FT_GlyphZoneRec size->twilight to be freed.  If duplicated,
+	FT_FREE() erases the duplicated pointers only and leave original
+	pointers.  They can cause the double-free crash when the burst
+	errors occur in TrueType interpreter and free_buffer_in_size()
+	is invoked repeatedly.  See Savannah bug #31040 for detail.
+
 2010-09-15  Werner Lemberg  <wl@gnu.org>
 
 	Make bytecode debugging with FontForge work again.
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 6401009..f1b7ac3 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -7364,9 +7364,8 @@
   static void
   free_buffer_in_size( TT_ExecContext  exc )
   {
-    FT_Memory        memory = exc->memory;
-    TT_Size          size = exc->size;
-    TT_GlyphZoneRec  twilight;
+    FT_Memory  memory = exc->memory;
+    TT_Size    size = exc->size;
 
 
     if ( !size )
@@ -7381,18 +7380,16 @@
     if ( size->storage )
       FT_FREE( size->storage );
 
-    twilight = size->twilight;
-
-    if ( twilight.org )
-      FT_FREE( twilight.org );
-    if ( twilight.cur )
-      FT_FREE( twilight.cur );
-    if ( twilight.orus )
-      FT_FREE( twilight.orus );
-    if ( twilight.tags )
-      FT_FREE( twilight.tags );
-    if ( twilight.contours )
-      FT_FREE( twilight.contours );
+    if ( size->twilight.org )
+      FT_FREE( size->twilight.org );
+    if ( size->twilight.cur )
+      FT_FREE( size->twilight.cur );
+    if ( size->twilight.orus )
+      FT_FREE( size->twilight.orus );
+    if ( size->twilight.tags )
+      FT_FREE( size->twilight.tags );
+    if ( size->twilight.contours )
+      FT_FREE( size->twilight.contours );
   }