Merge branch 'fix_use_after_free_race' into 'master'

Fix usage of FT_Face after FT_Done_Face and unsynchronised access to FT_Library and num_open_faces

Closes #436

See merge request cairo/cairo!81

src/cairo-ft-font.c

@@ -718,14 +718,18 @@ _cairo_ft_unscaled_font_lock_face (cairo_ft_unscaled_font_t *unscaled)
     CAIRO_MUTEX_LOCK (unscaled->mutex);
     unscaled->lock_count++;
 
+    font_map = _cairo_ft_unscaled_font_map_lock ();
+
     if (unscaled->face)
+    {
+        _cairo_ft_unscaled_font_map_unlock ();
 	return unscaled->face;
+    }
 
     /* If this unscaled font was created from an FT_Face then we just
      * returned it above. */
     assert (!unscaled->from_face);
 
-    font_map = _cairo_ft_unscaled_font_map_lock ();
     {
 	assert (font_map != NULL);
 
@@ -741,7 +745,6 @@ _cairo_ft_unscaled_font_lock_face (cairo_ft_unscaled_font_t *unscaled)
 	    _font_map_release_face_lock_held (font_map, entry);
 	}
     }
-    _cairo_ft_unscaled_font_map_unlock ();
 
     error = FT_New_Face (font_map->ft_library,
 			 unscaled->filename,
@@ -749,6 +752,7 @@ _cairo_ft_unscaled_font_lock_face (cairo_ft_unscaled_font_t *unscaled)
 			 &face);
     if (error)
     {
+        _cairo_ft_unscaled_font_map_unlock ();
 	unscaled->lock_count--;
 	CAIRO_MUTEX_UNLOCK (unscaled->mutex);
 	_cairo_error_throw (_cairo_ft_to_cairo_error (error));
@@ -762,6 +766,8 @@ _cairo_ft_unscaled_font_lock_face (cairo_ft_unscaled_font_t *unscaled)
 
     font_map->num_open_faces++;
 
+    _cairo_ft_unscaled_font_map_unlock ();
+
     return face;
 }