From 395b35903e052aecc97d0807e4f813c64c0d2b0b Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod <behdad@behdad.org> Date: Sun, 28 Dec 2014 16:03:26 -0800 Subject: [PATCH] Avoid accessing layout tables at face destruction "Fixes" https://bugs.freedesktop.org/show_bug.cgi?id=86300 Based on discussion someone else who had a similar issue, most probably the user is releasing FT_Face before destructing hb_face_t / hb_font_t. While that's a client bug, and while we can (and should) use FreeType refcounting to help avoid that, it happens that we were accessing the table when we didn't really have to. Avoid that. --- src/hb-ot-layout-private.hh | 3 +-- src/hb-ot-layout.cc | 4 ++-- src/hb-ot-shape-complex-arabic-fallback.hh | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/hb-ot-layout-private.hh b/src/hb-ot-layout-private.hh index ae7daa6db..3f7c858d1 100644 --- a/src/hb-ot-layout-private.hh +++ b/src/hb-ot-layout-private.hh @@ -126,8 +126,7 @@ struct hb_ot_layout_lookup_accelerator_t lookup.add_coverage (&digest); } - template <typename TLookup> - inline void fini (const TLookup &lookup HB_UNUSED) + inline void fini (void) { } diff --git a/src/hb-ot-layout.cc b/src/hb-ot-layout.cc index 661d90ea0..602b94ecd 100644 --- a/src/hb-ot-layout.cc +++ b/src/hb-ot-layout.cc @@ -84,9 +84,9 @@ void _hb_ot_layout_destroy (hb_ot_layout_t *layout) { for (unsigned int i = 0; i < layout->gsub_lookup_count; i++) - layout->gsub_accels[i].fini (layout->gsub->get_lookup (i)); + layout->gsub_accels[i].fini (); for (unsigned int i = 0; i < layout->gpos_lookup_count; i++) - layout->gpos_accels[i].fini (layout->gpos->get_lookup (i)); + layout->gpos_accels[i].fini (); free (layout->gsub_accels); free (layout->gpos_accels); diff --git a/src/hb-ot-shape-complex-arabic-fallback.hh b/src/hb-ot-shape-complex-arabic-fallback.hh index dc659e084..a77f24ec8 100644 --- a/src/hb-ot-shape-complex-arabic-fallback.hh +++ b/src/hb-ot-shape-complex-arabic-fallback.hh @@ -327,7 +327,7 @@ arabic_fallback_plan_destroy (arabic_fallback_plan_t *fallback_plan) for (unsigned int i = 0; i < fallback_plan->num_lookups; i++) if (fallback_plan->lookup_array[i]) { - fallback_plan->accel_array[i].fini (fallback_plan->lookup_array[i]); + fallback_plan->accel_array[i].fini (); if (fallback_plan->free_lookups) free (fallback_plan->lookup_array[i]); }