From 569860f721a30d5caad8ea1b55a3220f7e7f3d56 Mon Sep 17 00:00:00 2001
From: Andreas Kling <andreas.kling@nokia.com>
Date: Mon, 21 Jun 2010 18:52:45 +0200
Subject: Fix null HB_Device** dereference on exit in Harfbuzz GPOS code Fix
 incorrect usage of _HB_OPEN_Free_Device() in CaretValue cleanup

---
 src/3rdparty/harfbuzz/src/harfbuzz-gdef.c         |  2 +-
 src/3rdparty/harfbuzz/src/harfbuzz-gpos.c         | 26 +++++++++++++----------
 src/3rdparty/harfbuzz/src/harfbuzz-open-private.h |  2 +-
 src/3rdparty/harfbuzz/src/harfbuzz-open.c         |  8 +++----
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-gdef.c b/src/3rdparty/harfbuzz/src/harfbuzz-gdef.c
index c0c6f2c..966b167 100644
--- a/src/3rdparty/harfbuzz/src/harfbuzz-gdef.c
+++ b/src/3rdparty/harfbuzz/src/harfbuzz-gdef.c
@@ -462,7 +462,7 @@ static HB_Error  Load_CaretValue( HB_CaretValue*  cv,
 static void  Free_CaretValue( HB_CaretValue*  cv)
 {
   if ( cv->CaretValueFormat == 3 )
-    _HB_OPEN_Free_Device( &cv->cvf.cvf3.Device );
+    _HB_OPEN_Free_Device( cv->cvf.cvf3.Device );
 }
 
 
diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-gpos.c b/src/3rdparty/harfbuzz/src/harfbuzz-gpos.c
index 31b9ae1..0236271 100644
--- a/src/3rdparty/harfbuzz/src/harfbuzz-gpos.c
+++ b/src/3rdparty/harfbuzz/src/harfbuzz-gpos.c
@@ -433,13 +433,16 @@ static HB_Error  Load_ValueRecord( HB_ValueRecord*  vr,
   return HB_Err_Ok;
 
 Fail1:
-  _HB_OPEN_Free_Device( &vr->DeviceTables[VR_Y_ADVANCE_DEVICE] );
+  if ( vr->DeviceTables )
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_Y_ADVANCE_DEVICE] );
 
 Fail2:
-  _HB_OPEN_Free_Device( &vr->DeviceTables[VR_X_ADVANCE_DEVICE] );
+  if ( vr->DeviceTables )
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_X_ADVANCE_DEVICE] );
 
 Fail3:
-  _HB_OPEN_Free_Device( &vr->DeviceTables[VR_Y_PLACEMENT_DEVICE] );
+  if ( vr->DeviceTables )
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_Y_PLACEMENT_DEVICE] );
 
   FREE( vr->DeviceTables );
   return error;
@@ -450,13 +453,13 @@ static void  Free_ValueRecord( HB_ValueRecord*  vr,
 			       HB_UShort         format )
 {
   if ( format & HB_GPOS_FORMAT_HAVE_Y_ADVANCE_DEVICE )
-    _HB_OPEN_Free_Device( &vr->DeviceTables[VR_Y_ADVANCE_DEVICE] );
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_Y_ADVANCE_DEVICE] );
   if ( format & HB_GPOS_FORMAT_HAVE_X_ADVANCE_DEVICE )
-    _HB_OPEN_Free_Device( &vr->DeviceTables[VR_X_ADVANCE_DEVICE] );
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_X_ADVANCE_DEVICE] );
   if ( format & HB_GPOS_FORMAT_HAVE_Y_PLACEMENT_DEVICE )
-    _HB_OPEN_Free_Device( &vr->DeviceTables[VR_Y_PLACEMENT_DEVICE] );
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_Y_PLACEMENT_DEVICE] );
   if ( format & HB_GPOS_FORMAT_HAVE_X_PLACEMENT_DEVICE )
-    _HB_OPEN_Free_Device( &vr->DeviceTables[VR_X_PLACEMENT_DEVICE] );
+    _HB_OPEN_Free_Device( vr->DeviceTables[VR_X_PLACEMENT_DEVICE] );
   FREE( vr->DeviceTables );
 }
 
@@ -688,7 +691,8 @@ static HB_Error  Load_Anchor( HB_Anchor*  an,
   return HB_Err_Ok;
 
 Fail:
-  _HB_OPEN_Free_Device( &an->af.af3.DeviceTables[AF3_X_DEVICE_TABLE] );
+  if ( an->af.af3.DeviceTables )
+    _HB_OPEN_Free_Device( an->af.af3.DeviceTables[AF3_X_DEVICE_TABLE] );
 
   FREE( an->af.af3.DeviceTables );
   return error;
@@ -697,10 +701,10 @@ Fail:
 
 static void  Free_Anchor( HB_Anchor*  an)
 {
-  if ( an->PosFormat == 3 )
+  if ( an->PosFormat == 3 && an->af.af3.DeviceTables )
   {
-    _HB_OPEN_Free_Device( &an->af.af3.DeviceTables[AF3_X_DEVICE_TABLE] );
-    _HB_OPEN_Free_Device( &an->af.af3.DeviceTables[AF3_Y_DEVICE_TABLE] );
+    _HB_OPEN_Free_Device( an->af.af3.DeviceTables[AF3_X_DEVICE_TABLE] );
+    _HB_OPEN_Free_Device( an->af.af3.DeviceTables[AF3_Y_DEVICE_TABLE] );
     FREE( an->af.af3.DeviceTables );
   }
 }
diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-open-private.h b/src/3rdparty/harfbuzz/src/harfbuzz-open-private.h
index 65ca453..f1ca278 100644
--- a/src/3rdparty/harfbuzz/src/harfbuzz-open-private.h
+++ b/src/3rdparty/harfbuzz/src/harfbuzz-open-private.h
@@ -79,7 +79,7 @@ HB_INTERNAL void  _HB_OPEN_Free_LookupList( HB_LookupList*  ll,
 
 HB_INTERNAL void  _HB_OPEN_Free_Coverage( HB_Coverage*  c );
 HB_INTERNAL void  _HB_OPEN_Free_ClassDefinition( HB_ClassDefinition*  cd );
-HB_INTERNAL void  _HB_OPEN_Free_Device( HB_Device**  d );
+HB_INTERNAL void  _HB_OPEN_Free_Device( HB_Device*  d );
 
 
 
diff --git a/src/3rdparty/harfbuzz/src/harfbuzz-open.c b/src/3rdparty/harfbuzz/src/harfbuzz-open.c
index adc6cec..15cd2c1 100644
--- a/src/3rdparty/harfbuzz/src/harfbuzz-open.c
+++ b/src/3rdparty/harfbuzz/src/harfbuzz-open.c
@@ -1353,12 +1353,12 @@ _HB_OPEN_Load_Device( HB_Device** device,
 
 
 HB_INTERNAL void
-_HB_OPEN_Free_Device( HB_Device** d )
+_HB_OPEN_Free_Device( HB_Device* d )
 {
-  if ( *d )
+  if ( d )
   {
-    FREE( (*d)->DeltaValue );
-    FREE( *d );
+    FREE( d->DeltaValue );
+    FREE( d );
   }
 }
 
-- 
cgit v0.12