[quote] // First FT_Get_Glyph - lazy copy transfers ownership FT_Glyph glyph; error = FT_Get_Glyph(face->glyph, &glyph); // Line 130 FT_Done_Glyph(glyph); // Line 136: Frees buffer
// Second FT_Get_Glyph - accesses freed memory! error = FT_Get_Glyph(face->glyph, &glyph); // Line 143: UAF here! [/quote] The dubious code above has to obtain some privileges before this becomes a security issue. It is debatable if we need to protect against the improper use of the library calls. If we do, then we probably need to thoroughly destroy FT_GlyphSlot after the lazy copy or not do it lazily at all. Other glyph formats do not do lazy copy. I cannot decide. Alexei
