From 621cb79d6221726cbe2b367fc469e11f2b8b8c33 Mon Sep 17 00:00:00 2001 From: Matthew Fernandez Date: Sat, 1 Aug 2020 09:37:20 -0700 Subject: [PATCH] fix: take a copy of font name when caching fonts in Pango plugin The Pango plugin caches the last used font to save an expensive reconstruction process each time it runs. To determine whether the cached font is eligible for reuse, the name and size of the requested font are checked against the cache entry. However the name of the cached font was only stored as a pointer to the original name. The cached entry could outlive the original font, which could be freed before a next call into the plugin. As a result, the plugin would perform a strcmp using a stale freed pointer. To address this we simply take a copy of the font name's string data instead of just a pointer to it. There is no need to copy any of the other cached fields as they are only accessed if the font name check finds the entry to be valid. Related to #1767. --- plugin/pango/gvtextlayout_pango.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/plugin/pango/gvtextlayout_pango.c b/plugin/pango/gvtextlayout_pango.c index fdb0f024c..7c72d5ccf 100644 --- a/plugin/pango/gvtextlayout_pango.c +++ b/plugin/pango/gvtextlayout_pango.c @@ -58,6 +58,16 @@ static char* pango_psfontResolve (PostscriptAlias* pa) #define FULL_MARKUP "" #endif +/* strdup, exiting on failure */ +static char *xstrdup(const char *str) { + char *s = strdup(str); + if (s == NULL) { + fprintf(stderr, "out of memory\n"); + abort(); + } + return s; +} + static boolean pango_textlayout(textspan_t * span, char **fontpath) { static char buf[1024]; /* returned in fontpath, only good until next call */ @@ -103,7 +113,8 @@ static boolean pango_textlayout(textspan_t * span, char **fontpath) return FALSE; } - fontname = span->font->name; + free(fontname); + fontname = xstrdup(span->font->name); fontsize = span->font->size; pango_font_description_free (desc); -- 2.40.0