<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:akira@tagoh.org" title="Akira TAGOH <akira@tagoh.org>"> <span class="fn">Akira TAGOH</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - Memory Leak during error case in fccharset"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90867">bug 90867</a>
          <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Status</td>
           <td>NEW
           </td>
           <td>ASSIGNED
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">CC</td>
           <td>
                
           </td>
           <td>akira@tagoh.org, fontconfig-bugs@lists.freedesktop.org
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">Assignee</td>
           <td>fontconfig-bugs@lists.freedesktop.org
           </td>
           <td>akira@tagoh.org
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - Memory Leak during error case in fccharset"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90867#c2">Comment # 2</a>
              on <a class="bz_bug_link 
          bz_status_ASSIGNED "
   title="ASSIGNED - Memory Leak during error case in fccharset"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90867">bug 90867</a>
              from <span class="vcard"><a class="email" href="mailto:akira@tagoh.org" title="Akira TAGOH <akira@tagoh.org>"> <span class="fn">Akira TAGOH</span></a>
</span></b>
        <pre>Thank you for catching this up. but that patch looks not correct to me.
particularly when reallocating leaves was success but not for numbers. the
pointer may be updated so next access to leaves may causes segfault then.

Here is another proposal to fix it:
diff --git a/src/fccharset.c b/src/fccharset.c
index 6e0093f..3f17892 100644
--- a/src/fccharset.c
+++ b/src/fccharset.c
@@ -164,6 +164,14 @@ FcCharSetPutLeaf (FcCharSet    *fcs,
         unsigned int alloced = 8;
     leaves = malloc (alloced * sizeof (*leaves));
     numbers = malloc (alloced * sizeof (*numbers));
+    if (!leaves || !numbers)
+    {
+        if (leaves)
+        free (leaves);
+        if (numbers)
+        free (numbers);
+        return FcFalse;
+    }
       }
       else
       {
@@ -172,8 +180,19 @@ FcCharSetPutLeaf (FcCharSet    *fcs,

     alloced *= 2;
     new_leaves = realloc (leaves, alloced * sizeof (*leaves));
+    if (!new_leaves)
+        return FcFalse;
     numbers = realloc (numbers, alloced * sizeof (*numbers));
-
+    if (!numbers)
+    {
+        /* Revert the reallocation of leaves */
+        leaves = realloc (new_leaves, (alloced / 2) * sizeof (*new_leaves));
+        /* unlikely to fail though */
+        if (!leaves)
+        return FcFalse;
+        fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
+        return FcFalse;
+    }
     distance = (intptr_t) new_leaves - (intptr_t) leaves;
     if (new_leaves && distance)
     {
@@ -184,9 +203,6 @@ FcCharSetPutLeaf (FcCharSet    *fcs,
     leaves = new_leaves;
       }

-      if (!leaves || !numbers)
-      return FcFalse;
-
       fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
       fcs->numbers_offset = FcPtrToOffset (fcs, numbers);
     }


Please test if you have any testcase for that.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>