Xvnc 3.3.3r2 crashes while rendering Type 1 font

Tristan Richardson tjr "at" uk.research.att.com
Thu, 16 Nov 2000 10:46:07 +0000

Strange.  None of the font code has been touched between 3.3.3r1 and 3.3.3r2 -
it all comes straight from the same XFree86 3.3.2 distribution.  It certainly
doesn't seem to go wrong on any of the platforms we have here.  I'm afraid I
don't understand this code well enough to be able to debug it, either.



"Dimitry Andric" <dim "at" xs4all.nl> writes:

> I had been running vnc-3.3.3r1 on FreeBSD/i386 for some time, without
> any problems. When a new version of the port, 3.3.3r2, became
> available, I installed it, and immediately Xvnc began coredumping,
> initially due to my window manager (icewm).
> #0  0x80bcfee in crosses (h=1, left=0x4, right=0x283be0a8) at
> regions.c:1278
> #1  0x80bcb98 in swathxsort (before0=0xbfbfe4bc, edge=0x283be090) at
> regions.c:1055
> #2  0x80bc8e2 in t1_SortSwath (anchor=0x283bec70, edge=0x283be090,
> swathfcn=0x80bca98 <swathxsort>) at regions.c:875
> #3  0x80bc722 in newfilledge (R=0x283bf490, xmin=250466, xmax=271415,
> ymin=1, ymax=34284, isdown=1) at regions.c:765
> #4  0x80bc507 in t1_ChangeDirection (type=0, R=0x283bf490, x=250466,
> y=34284, dy=0) at regions.c:684
> #5  0x80d4838 in t1_StepLine (R=0x283bf490, x1=250466, y1=34284,
> x2=252370, y2=34284) at lines.c:89
> #6  0x80bc261 in t1_Interior (p=0x283bec00, fillrule=126) at
> regions.c:510
> #7  0x80b8f02 in fontfcnB (S=0x283be010 "\005\001\002",
> code=0x81db6d1 "Q", lenP=0xbfbfe72c, mode=0xbfbfe728) at
> fontfcn.c:178
> #8  0x809f153 in Type1OpenScalable (fpe=0x8219d84, ppFont=0xbfbff8b0,
> flags=0, entry=0x2838b164, fileName=0xbfbfec3c
> "/usr/X11R6/lib/X11/fonts/Type1/cour.pfa", vals=0xbfbfebcc,
> format=512, fmask=31, non_cachable_font=0x0) at t1funcs.c:290
> #9  0x808ea50 in FontFileOpenFont (client=0x82154e0 "\003",
> fpe=0x8219d84, flags=0, name=0x827b92c
> "-adobe-courier-medium-r-*-*-*-140-*-*-*-*-*-*pppy \030%P\004",
> namelen=45, format=512, fmask=31, id=12583002, pFont=0xbfbff8b0,
> aliasName=0xbfbff89c, non_cachable_font=0x0) at fontfile.c:442
> #10 0x805363a in doOpenFont (client=0x82154e0, c=0x827b4f4) at
> dixfonts.c:273
> #11 0x8053b71 in OpenFont (client=0x82154e0, fid=12583002, flags=0,
> lenfname=45, pfontname=0x8261068
> "-adobe-courier-medium-r-*-*-*-140-*-*-*-*-*-*") at dixfonts.c:448
> #12 0x80622d0 in ProcOpenFont (client=0x82154e0) at dispatch.c:1146
> #13 0x80609f7 in Dispatch () at dispatch.c:300
> #14 0x804a851 in main (argc=18, argv=0xbfbffae8) at main.c:400
> #15 0x804a215 in _start ()
> So it crashes when it is rendering the
> "-adobe-courier-medium-r-*-*-*-140-*-*-*-*-*-*" font. This is not
> caused specifically by icewm, I can also get Xvnc to segfault by
> using xfontsel, and selecting this specific adobe-courier font. These
> fonts are from the normal FreeBSD XFree86 distribution.
> These segfaults do not occur when I use vnc-3.3.3r1, so I think I can
> rule out bad or corrupt font files (or is r1 more tolerant?). I'm
> starting Xvnc with the (unmodified) vncserver script from the
> distribution. I also tried modifying the script, to specify an exact
> font path, but that didn't make any difference. Logical, because the
> problem is obviously not that it can't find the font, it accesses an
> "almost-NULL" pointer (i.e. 0x4) in crosses() from regions.c.
