[MPlayer-cvslog] r21474 - in trunk/libass: ass.c ass.h ass_cache.c ass_font.c ass_fontconfig.c ass_fontconfig.h ass_library.c ass_library.h ass_render.c

[Uoti Urpala]

On Sun, 2006-12-03 at 18:59 +0100, eugeni wrote:
> Keep embedded fonts in ass_library_t and perform actual disk write

> +void ass_add_font(ass_library_t* priv, char* name, char* data, int size)
> +{
> +	grow_array((void**)&priv->fontdata, priv->num_fontdata, sizeof(*priv->fontdata));
> +	priv->fontdata[priv->num_fontdata].name = name;
> +	priv->fontdata[priv->num_fontdata].data = data;

The fonts array is in the toplevel library struct which is shared
between renderer instances (and thus files), and nothing removes entries
from it. However the Matroska demuxer will free the attachment (and the
data pointer in the code above) when the file is closed. This causes a
crash if you play a file with embedded fonts and then another file which
uses libass; when starting the second file the renderer initialization
code will access the now freed data.