cirno/plan9port
1
0
Fork 0
mirror of https://github.com/9fans/plan9port.git synced 2025-01-24 11:41:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

libdraw: replace hand-rolled realloc, preventing buffer overflow.

Browse source 
The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated.  Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.

By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.

Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>
This commit is contained in:
Ray Lai 2016-05-18 14:06:20 +08:00 committed by Gleydson Soares
parent 669713d43f
commit 94b38bdb72
1 changed files with 1 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/libdraw/font.c
View file

@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname)
subf->age = 0;
}else{ /* too recent; grow instead */
of = f->subf;
f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
if(f->subf == nil){
f->subf = of;
goto Toss;
}
memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
subf = &f->subf[f->nsubf];
f->nsubf += DSUBF;
free(of);
}
}
subf->age = 0;