tlibdraw: replace hand-rolled realloc, preventing buffer overflow. - plan9port - [fork] Plan 9 from user space (HTM) git clone git://src.adamsgaard.dk/plan9port (DIR) Log (DIR) Files (DIR) Refs (DIR) README (DIR) LICENSE --- (DIR) commit 94b38bdb722052838eb0d940c05995b870db4ea0 (DIR) parent 669713d43f8a014ba481265d4c58c3fe575527b4 (HTM) Author: Ray Lai <ray@raylai.com> Date: Wed, 18 May 2016 14:06:20 +0800 libdraw: replace hand-rolled realloc, preventing buffer overflow. The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large. Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf (newsize) is mallocated. Unfortunately memmove() reads (newsize) bytes from the original (oldsize) buffer, causing a buffer overflow. By switching to realloc(), we don't need to do buffer size calculation, memmoving, and freeing of the original buffer. Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd Reviewed-on: https://plan9port-review.googlesource.com/1520 Reviewed-by: Gleydson Soares <gsoares@gmail.com> Diffstat: M src/libdraw/font.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- (DIR) diff --git a/src/libdraw/font.c b/src/libdraw/font.c t@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname) subf->age = 0; }else{ /* too recent; grow instead */ of = f->subf; - f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf); + f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf); if(f->subf == nil){ f->subf = of; goto Toss; } - memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf); memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf); subf = &f->subf[f->nsubf]; f->nsubf += DSUBF; - free(of); } } subf->age = 0;