tlibdraw: replace hand-rolled realloc, preventing buffer overflow. - plan9port - [fork] Plan 9 from user space
(HTM) git clone git://src.adamsgaard.dk/plan9port
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 94b38bdb722052838eb0d940c05995b870db4ea0
(DIR) parent 669713d43f8a014ba481265d4c58c3fe575527b4
(HTM) Author: Ray Lai <ray@raylai.com>
Date: Wed, 18 May 2016 14:06:20 +0800
libdraw: replace hand-rolled realloc, preventing buffer overflow.
The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated. Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.
By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.
Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>
Diffstat:
M src/libdraw/font.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
---
(DIR) diff --git a/src/libdraw/font.c b/src/libdraw/font.c
t@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname)
subf->age = 0;
}else{ /* too recent; grow instead */
of = f->subf;
- f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+ f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
if(f->subf == nil){
f->subf = of;
goto Toss;
}
- memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
subf = &f->subf[f->nsubf];
f->nsubf += DSUBF;
- free(of);
}
}
subf->age = 0;