Bug 1893270 Comment 11 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Daniel Holbert [:dholbert]

on 2024-04-24 14:20:33 PDT

Also notable: in `cairo_cff_font_destroy`, the doomed `free (font->fd_local_sub_bias);` call is guarded by a call to `if (font->is_cid) {`.

But that `is_cid` member is uninitialized at the point where we crash, though. (It's `0xe5e5e5e5` which is truthy, so we enter that clause).

If we were to somehow reach `cairo_cff_font_fallback_generate` (which seems like a reasonable thing to reach for the product of `_cairo_cff_font_fallback_create`), then we would be OK because we'd hit this assignment:
https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#3264-3265
```cpp
/* Create Top Dict */
font->is_cid = FALSE;
```

Maybe that's what cairo is expecting to happen, and why it doesn't bother to initialize those members like `fd_local_sub_bias`?  Not sure. But anyway, in this case we never make it that far, so `is_cid` is uninitialized and truthy, so `cairo_cff_font_destroy` does enter the fatal chunk of code and attempts to free the uninitialized `fd_local_sub_bias` pointer.

Revision 1 by

Daniel Holbert [:dholbert]

on 2024-04-24 14:22:46 PDT

Also notable: in `cairo_cff_font_destroy`, the doomed `free (font->fd_local_sub_bias);` call is guarded by a call to `if (font->is_cid) {`:
https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#2894-2895,2927,2942
```cpp
static void
cairo_cff_font_destroy (cairo_cff_font_t *font)
...
    if (font->is_cid) {
...
	free (font->fd_local_sub_bias);
```

But that `is_cid` member is still uninitialized when we read it here in the fatal run-through, though. (It's `0xe5e5e5e5` which is truthy, so we enter that clause).

If we were to somehow reach `cairo_cff_font_fallback_generate` (which seems like a reasonable thing to reach for the product of `_cairo_cff_font_fallback_create`), then we would be OK because we'd hit this assignment:
https://searchfox.org/mozilla-central/rev/6121b33709dd80979a6806ff59096a561e348ae8/gfx/cairo/cairo/src/cairo-cff-subset.c#3264-3265
```cpp
/* Create Top Dict */
font->is_cid = FALSE;
```

Maybe that's what cairo is expecting to happen, and why it doesn't bother to initialize those members like `fd_local_sub_bias`?  Not sure. But anyway, in this case we never make it that far, so `is_cid` is uninitialized and truthy, so `cairo_cff_font_destroy` does enter the fatal chunk of code and attempts to free the uninitialized `fd_local_sub_bias` pointer.