Name: clC74495 Date: 07/26/99

=20
The subroutine AddFontsToX11FontPath in=20
src/solaris/native/sun/awt/font/fontpath.c contains three
illegal calls to 'free' that may corrupt the malloc heap.

- there are two occurances of:

    XFreeFontPath(origFontPath);
    free(origFontPath);

  The 'free(origFontPath)' is not OK here, because XFreeFontPath
  has already freed origFontPath! The memory is freed twice.
  Here's the relevant source code from X11R6:

  XFreeFontPath (list)
  char **list;
  {
        if (list !=3D NULL) {
                Xfree (list[0]-1);
                Xfree ((char *)list); <-- here's the first free
        }
        return 1;
  }


- it is not OK to free the new constructed font path with
  XFreeFontPath! The newFontPath pointer array contains
  some shared pointers and some freshly allocated pointers!



And the last problem is that the origFontPath is not freed
when the X server's font path is extended.

TEST CASE:
Run the following simple java program with a malloc heap checker
enabled (I've use Electric Fence) and watch for the errors
reported by the heap checker!


public class font {
    public static void main(String[] args) {
        new java.awt.Font("dialog", java.awt.Font.BOLD, 10);
        System.exit(0);
    }
}
(Review ID: 88271)=20
======================================================================