cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error. Upstream issue: https://bugs.webkit.org/show_bug.cgi?id=191595 Upstream MR: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
Created cairo tracking bugs for this issue: Affects: fedora-all [bug 1661456] Created mingw-cairo tracking bugs for this issue: Affects: epel-7 [bug 1661455] Affects: fedora-all [bug 1661457]
Analysis: This is essentially a bug in which cairo tries to free a FT_MM_Var data structure using system free() rather than using FT_Done_MM_Var() when freetype 2.9 is used. This bug is triggered when WebKit tries to use its internal fastMalloc() for allocating and free'ing cairo data structures. This is really cairo and freetype version specific and the trigger factor is how WebKit deals with these data structures. Based on the complexity of the overall problem and the trigger factor, it is safe to call this low impact.