[Bf-committers] [Patch] Bad function call triggers blender crash on text addition

Cyril Brulebois kibi at debian.org
Thu Jun 26 19:21:04 CEST 2008 

Hi,

since freetype 2.3.6, an additional check was added, which triggers a
crash since Blender isn't using it properly (as far as I can tell). I
guess the cast was added so that the compiler shuts up, but it looks
like the function called here isn't actually the one that was meant. See
attached patch for a fix that seems to work fine.

For reference, the backtrace with 2.46 is attached as well. And the bits
of code that changed between 2.3.5 and 2.3.6 that trigger the crash are
the additional check:
| --- freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c
| +++ freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c
| @@ -2631,6 +2690,8 @@
|      cur = face->charmaps;
|      if ( !cur )
|        return FT_Err_Invalid_CharMap_Handle;
| +    if ( FT_Get_CMap_Format( charmap ) == 14 )
| +      return FT_Err_Invalid_Argument;
| 
|      limit = cur + face->num_charmaps;
| 

I'm currently lacking time to check whether that's still valid for
trunk.

Initial Debian bugreport: http://bugs.debian.org/487890

Mraw,
KiBi.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nasty-cast.diff
Type: text/x-diff
Size: 349 bytes
Desc: not available
Url : http://lists.blender.org/pipermail/bf-committers/attachments/20080626/9aebc23f/attachment.diff 
-------------- next part --------------
$ bt
#0  0x00007f1ee67d9710 in FT_Get_CMap_Format (charmap=0x756e6963) at /home/cyril/tmp/blender+debug/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:3245
#1  0x00007f1ee67d888b in FT_Set_Charmap (face=0x18e0a60, charmap=0x756e6963) at /home/cyril/tmp/blender+debug/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:2693
#2  0x00000000009f34e4 in BLI_vfontdata_from_freetypefont (pf=<value optimized out>) at source/blender/blenlib/intern/freetypefont.c:408
#3  0x00000000008ee245 in load_vfont (name=0xc8f74c "<builtin>") at source/blender/blenkernel/intern/font.c:383
#4  0x00000000005a4fe9 in add_primitiveFont (dummy_argument=<value optimized out>) at source/blender/src/editfont.c:1177
#5  0x00000000006c64aa in do_info_addmenu (arg=<value optimized out>, event=1970170211) at source/blender/src/header_info.c:1471
#6  0x00000000005d69f9 in uiDoBlocks (lb=0x11759e0, event=<value optimized out>, movemouse_quit=1) at source/blender/src/interface.c:5108
#7  0x000000000064d1d6 in toolbox_n () at source/blender/src/toolbox.c:2249
#8  0x000000000053d45c in screenmain () at source/blender/src/editscreen.c:1485
#9  0x0000000000534e12 in main (argc=1, argv=0x7fffef655c28) at source/creator/creator.c:818

$ bt full
#0  0x00007f1ee67d9710 in FT_Get_CMap_Format (charmap=0x756e6963) at /home/cyril/tmp/blender+debug/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:3245
	service = (FT_Service_TTCMaps) 0x756e6963
	face = (FT_Face) 0x18ed050
	cmap_info = {language = 140737209783600, format = 1970170211}
#1  0x00007f1ee67d888b in FT_Set_Charmap (face=0x18e0a60, charmap=0x756e6963) at /home/cyril/tmp/blender+debug/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:2693
	cur = (FT_CharMap *) 0x18dee20
	limit = (FT_CharMap *) 0x7f1ee7654000
#2  0x00000000009f34e4 in BLI_vfontdata_from_freetypefont (pf=<value optimized out>) at source/blender/blenlib/intern/freetypefont.c:408
	vfd = (VFontData *) 0x18e4370
#3  0x00000000008ee245 in load_vfont (name=0xc8f74c "<builtin>") at source/blender/blenkernel/intern/font.c:383
	vfd = <value optimized out>
	filename = "<builtin>\000\200?\000\000\200?\000\000\200?", '\0' <repeats 18 times>, "\200?", '\0' <repeats 18 times>, "\200?", '\0' <repeats 18 times>, "\200?"
	vfont = (VFont *) 0x0
	pf = (PackedFile *) 0x18aed40
	tpf = (PackedFile *) 0x0
	is_builtin = 1
#4  0x00000000005a4fe9 in add_primitiveFont (dummy_argument=<value optimized out>) at source/blender/src/editfont.c:1177
	cu = (Curve *) 0x18cc590
#5  0x00000000006c64aa in do_info_addmenu (arg=<value optimized out>, event=1970170211) at source/blender/src/header_info.c:1471
No locals.
#6  0x00000000005d69f9 in uiDoBlocks (lb=0x11759e0, event=<value optimized out>, movemouse_quit=1) at source/blender/src/interface.c:5108
	block = <value optimized out>
	uevent = {mval = {634, 476}, qual = 0, val = 1, event = 220}
	retval = 4
	cont = 1
#7  0x000000000064d1d6 in toolbox_n () at source/blender/src/toolbox.c:2249
	block = (uiBlock *) 0x18cbdb0
	but = (uiBut *) 0x18cd410
	storage = {first = 0x18cbf60, last = 0x18cbf60}
	menu1 = (TBitem *) 0x18cd410
	menu2 = (TBitem *) 0x102c840
	menu3 = (TBitem *) 0x102aa20
	menu4 = (TBitem *) 0x102c940
	menu5 = (TBitem *) 0x102cba0
	menu6 = (TBitem *) 0x102cd80
	menu7 = (TBitem *) 0x102cf20
	dx = 96
	mval = {634, 476}
	tot = 7
	str1 = 0xccf58a "Add"
	str2 = 0xc8d6c9 "Edit"
	str3 = 0xc9e37d "Select"
	str4 = 0xc9cb08 "Transform"
	str5 = 0xc9f34c "Object"
	str6 = 0xcaeb80 "View"
	str7 = 0xcaa05f "Render"
#8  0x000000000053d45c in screenmain () at source/blender/src/editscreen.c:1485
	event = 221
	val = 1
	towin = 1
	ascii = 32 ' '
	firsttime = 0
	onload_script = 0
#9  0x0000000000534e12 in main (argc=1, argv=0x7fffef655c28) at source/creator/creator.c:818
	a = 0
	i = 13085280
	stax = 0
	stay = 0
	sizx = 1280
	sizy = 1024
	scr_init = 0
	syshandle = (SYS_SystemHandle) 0x1341e90

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.blender.org/pipermail/bf-committers/attachments/20080626/9aebc23f/attachment.pgp

More information about the Bf-committers mailing list