Fix memory leak (Coverity defect #2089).

Ignore script if subtable is missing (Coverity defect #2088).
Fix possible null pointer dereference (Coverity defect #784) and memory
    leak (Coverity defects #785, #786).
Don't copy FcCharSet if we're going to throw it away anyway. (Reported by
    Kenichi Handa).
reviewed by: plam

5 files changed, 51 insertions, 19 deletions

diff --git a/ChangeLog b/ChangeLog
index 455e35b..ff60863 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,24 @@
+2006-04-12  Frederic Crozat  <fcrozat@mandriva.com>
+	reviewed by: plam
+	
+	* src/fcpat.c: (FcPatternFreeze):
+	Fix memory leak (Coverity defect #2089).
+
+	* src/fcfreetype.c: (GetScriptTags):
+	Ignore script if subtable is missing (Coverity defect #2088).
+
+2006-04-12  Patrick Lam  <plam@mit.edu>
+	* src/fccfg.c (FcConfigSubstituteWithPat):
+
+	Fix possible null pointer dereference (Coverity defect #784)
+	and memory leak (Coverity defects #785, #786).
+
+2006-04-12  Patrick Lam  <plam@mit.edu>
+	* src/fcmatch.c (FcSortWalk, FcFontSetSort):
+
+	Don't copy FcCharSet if we're going to throw it away anyway.
+	(Reported by Kenichi Handa).
+
 2006-04-11  Ming Zhao  <ming@gentoo.org>
 	reviewed by: plam
 	
diff --git a/src/fccfg.c b/src/fccfg.c
index 35ab73a..cf92a2f 100644
--- a/src/fccfg.c
+++ b/src/fccfg.c
@@ -1512,7 +1512,8 @@ FcConfigSubstituteWithPat (FcConfig    *config,
 		    /*
 		     * Delete the marked value
 		     */
-		    FcConfigDel (&st[i].elt->values, thisValue);
+                    if (thisValue)
+			FcConfigDel (&st[i].elt->values, thisValue);
 		    /*
 		     * Adjust any pointers into the value list to ensure
 		     * future edits occur at the same place
@@ -1567,6 +1568,7 @@ FcConfigSubstituteWithPat (FcConfig    *config,
 		FcConfigPatternAdd (p, e->field, l, FcTrue);
 		break;
 	    default:
+                FcValueListDestroy (FcValueListPtrCreateDynamic(l));
 		break;
 	    }
 	}
diff --git a/src/fcfreetype.c b/src/fcfreetype.c
index 5d852a5..87f3b99 100644
--- a/src/fcfreetype.c
+++ b/src/fcfreetype.c
@@ -2797,13 +2797,10 @@ GetScriptTags(FT_Face face, FT_ULong tabletag, FT_ULong **stags, FT_UShort *scri
 
 	cur_offset = ftglue_stream_pos( stream );
 
-	if (( error = ftglue_stream_seek( stream, new_offset ) ))
-	    goto Fail;
+	error = ftglue_stream_seek( stream, new_offset );
 
 	if ( error == TT_Err_Ok )
 	    p++;
-	else if ( error != TTO_Err_Empty_Script )
-	    goto Fail;
 
 	(void)ftglue_stream_seek( stream, cur_offset );
     }
diff --git a/src/fcmatch.c b/src/fcmatch.c
index 57e0c0e..ae37fd7 100644
--- a/src/fcmatch.c
+++ b/src/fcmatch.c
@@ -791,7 +791,7 @@ FcSortCompare (const void *aa, const void *ab)
 }
 
 static FcBool
-FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool trim)
+FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool trim, FcBool build_cs)
 {
     FcCharSet	*ncs;
     FcSortNode	*node;
@@ -808,16 +808,20 @@ FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool tri
 	     */
 	    if (!trim || !*cs || !FcCharSetIsSubset (ncs, *cs))
 	    {
-		if (*cs)
-		{
-		    ncs = FcCharSetUnion (ncs, *cs);
-		    if (!ncs)
-			return FcFalse;
-		    FcCharSetDestroy (*cs);
-		}
-		else
-		    ncs = FcCharSetCopy (ncs);
-		*cs = ncs;
+                if (!trim && build_cs)
+                {
+                    if (*cs)
+                    {
+                        ncs = FcCharSetUnion (ncs, *cs);
+                        if (!ncs)
+                            return FcFalse;
+                        FcCharSetDestroy (*cs);
+                    }
+                    else
+                        ncs = FcCharSetCopy (ncs);
+                    *cs = ncs;
+                }
+
 		FcPatternReference (node->pattern);
 		if (FcDebug () & FC_DBG_MATCH)
 		{
@@ -986,13 +990,16 @@ FcFontSetSort (FcConfig	    *config,
 
     cs = 0;
 
-    if (!FcSortWalk (nodeps, nnodes, ret, &cs, trim))
+    if (!FcSortWalk (nodeps, nnodes, ret, &cs, trim, (csp!=0)))
 	goto bail2;
 
     if (csp)
 	*csp = cs;
     else
-	FcCharSetDestroy (cs);
+    {
+        if (cs)
+            FcCharSetDestroy (cs);
+    }
 
     free (nodes);
 
diff --git a/src/fcpat.c b/src/fcpat.c
index 5865546..658998b 100644
--- a/src/fcpat.c
+++ b/src/fcpat.c
@@ -639,7 +639,7 @@ FcPatternBaseThawAll (void)
 FcPattern *
 FcPatternFreeze (FcPattern *p)
 {
-    FcPattern	*b, *n = 0;
+    FcPattern	*b, *n = 0, *freeme = 0;
     FcPatternElt *e;
     int		i;
     
@@ -673,7 +673,10 @@ FcPatternFreeze (FcPattern *p)
 	(FcPatternEltU(b->elts)+i)->values = 
 	    FcValueListFreeze((FcPatternEltU(p->elts)+i)->values);
 	if (!FcValueListPtrU((FcPatternEltU(p->elts)+i)->values))
+        {
+	    freeme = b;
 	    goto bail;
+        }
     }
 
     if (FcPatternFindElt (p, FC_FILE))
@@ -695,6 +698,8 @@ FcPatternFreeze (FcPattern *p)
     b->elts = FcPatternEltPtrCreateDynamic(0);
     FcMemFree (FC_MEM_PATELT, sizeof (FcPatternElt)*(b->num));
     b->num = -1;
+    if (freeme)
+	FcPatternDestroy (freeme);
 #ifdef DEBUG
     assert (FcPatternEqual (n, p));
 #endif