[PATCH] libfontenc: setCode(): fix realloc invocation

Aaron Plattner aplattner at nvidia.com
Mon Mar 4 08:28:34 PST 2013


On 03/03/2013 08:57 PM, Nickolai Zeldovich wrote:
> This patch fixes two bugs in the realloc invocation in setCode(), which
> most likely cause memory corruption when realloc is triggered:
>
> 1. Pass *enc to realloc (which is the dynamically-allocated buffer),
>     instead of enc (which stores a pointer to the dynamically-allocated
>     buffer).
>
> 2. Allocate enough memory for (*encsize) shorts, instead of (*encsize)
>     bytes; see the call to malloc just above the realloc call.
>
> Signed-off-by: Nickolai Zeldovich <nickolai at csail.mit.edu>

Yikes, that's pretty bad!

Reviewed-by: Aaron Plattner <aplattner at nvidia.com>

Do you need someone to apply this for you?

> ---
>   src/encparse.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/encparse.c b/src/encparse.c
> index cbcac80..ee18b3f 100644
> --- a/src/encparse.c
> +++ b/src/encparse.c
> @@ -426,7 +426,7 @@ setCode(unsigned from, unsigned to, unsigned row_size,
>           }
>       } else if(*encsize <= index) {
>           *encsize = 0x10000;
> -        if((newenc = realloc(enc, *encsize))==NULL)
> +        if((newenc = realloc(*enc, (*encsize) * sizeof(unsigned short)))==NULL)
>               return 1;
>           *enc = newenc;
>       }
>


-- 
Aaron


More information about the xorg-devel mailing list