From 84be1bd4d3ed8d2d9e65301649bc841ea4197fe2 Mon Sep 17 00:00:00 2001
From: Konstantin Ritt <ritt.ks@gmail.com>
Date: Tue, 14 Jan 2014 18:27:33 +0200
Subject: Fix crash due to a stale pointer dereferencing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The HB face caching mechanism introduced in 227e9a40cfeb7e00658cd3
wasn't complete due that fact that HB-NG doesn't parse the entire
font table at once but rather references a table on-demand.
This incompleteness caused a crash in case the engine doesn't
get cached or when it removed from the cache and then re-used.

Task-number: QTBUG-36099

Change-Id: I7816836107655ce7cf6eb9683bb5dc7f892f9cd1
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Reviewed-by: Michael Krasnyk <michael.krasnyk@gmail.com>
Reviewed-by: Lars Knoll <lars.knoll@digia.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
---
 src/gui/text/qfontengine_ft.cpp | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

(limited to 'src/gui/text/qfontengine_ft.cpp')

diff --git a/src/gui/text/qfontengine_ft.cpp b/src/gui/text/qfontengine_ft.cpp
index 42cf15ee3b..05bd014bd7 100644
--- a/src/gui/text/qfontengine_ft.cpp
+++ b/src/gui/text/qfontengine_ft.cpp
@@ -116,6 +116,21 @@ QT_BEGIN_NAMESPACE
 #define TRUNC(x)    ((x) >> 6)
 #define ROUND(x)    (((x)+32) & -64)
 
+static bool ft_getSfntTable(void *user_data, uint tag, uchar *buffer, uint *length)
+{
+    FT_Face face = (FT_Face)user_data;
+
+    bool result = false;
+    if (FT_IS_SFNT(face)) {
+        FT_ULong len = *length;
+        result = FT_Load_Sfnt_Table(face, tag, 0, buffer, &len) == FT_Err_Ok;
+        *length = len;
+    }
+
+    return result;
+}
+
+
 // -------------------------- Freetype support ------------------------------
 
 class QtFreetypeData
@@ -408,15 +423,7 @@ QFontEngine::Properties QFreetypeFace::properties() const
 
 bool QFreetypeFace::getSfntTable(uint tag, uchar *buffer, uint *length) const
 {
-    bool result = false;
-#if (FREETYPE_MAJOR*10000 + FREETYPE_MINOR*100 + FREETYPE_PATCH) > 20103
-    if (FT_IS_SFNT(face)) {
-        FT_ULong len = *length;
-        result = FT_Load_Sfnt_Table(face, tag, 0, buffer, &len) == FT_Err_Ok;
-        *length = len;
-    }
-#endif
-    return result;
+    return ft_getSfntTable(face, tag, buffer, length);
 }
 
 /* Some fonts (such as MingLiu rely on hinting to scale different
@@ -761,6 +768,8 @@ bool QFontEngineFT::init(FaceId faceId, bool antialias, GlyphFormat format,
     fontDef.styleName = QString::fromUtf8(face->style_name);
 
     if (!freetype->hbFace) {
+        faceData.user_data = face;
+        faceData.get_font_table = ft_getSfntTable;
         freetype->hbFace = harfbuzzFace();
         freetype->hbFace_destroy_func = face_destroy_func;
     } else {
@@ -1179,7 +1188,7 @@ QFixed QFontEngineFT::emSquareSize() const
 
 bool QFontEngineFT::getSfntTableData(uint tag, uchar *buffer, uint *length) const
 {
-    return freetype->getSfntTable(tag, buffer, length);
+    return ft_getSfntTable(freetype->face, tag, buffer, length);
 }
 
 int QFontEngineFT::synthesized() const
-- 
cgit v1.2.3