[Fontconfig-bugs] [Bug 90867] Memory Leak during error case in fccharset

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Jun 5 02:04:10 PDT 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=90867

Akira TAGOH <akira at tagoh.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |akira at tagoh.org,
                   |                            |fontconfig-bugs at lists.freed
                   |                            |esktop.org
           Assignee|fontconfig-bugs at lists.freed |akira at tagoh.org
                   |esktop.org                  |

--- Comment #2 from Akira TAGOH <akira at tagoh.org> ---
Thank you for catching this up. but that patch looks not correct to me.
particularly when reallocating leaves was success but not for numbers. the
pointer may be updated so next access to leaves may causes segfault then.

Here is another proposal to fix it:
diff --git a/src/fccharset.c b/src/fccharset.c
index 6e0093f..3f17892 100644
--- a/src/fccharset.c
+++ b/src/fccharset.c
@@ -164,6 +164,14 @@ FcCharSetPutLeaf (FcCharSet    *fcs,
         unsigned int alloced = 8;
     leaves = malloc (alloced * sizeof (*leaves));
     numbers = malloc (alloced * sizeof (*numbers));
+    if (!leaves || !numbers)
+    {
+        if (leaves)
+        free (leaves);
+        if (numbers)
+        free (numbers);
+        return FcFalse;
+    }
       }
       else
       {
@@ -172,8 +180,19 @@ FcCharSetPutLeaf (FcCharSet    *fcs,

     alloced *= 2;
     new_leaves = realloc (leaves, alloced * sizeof (*leaves));
+    if (!new_leaves)
+        return FcFalse;
     numbers = realloc (numbers, alloced * sizeof (*numbers));
-
+    if (!numbers)
+    {
+        /* Revert the reallocation of leaves */
+        leaves = realloc (new_leaves, (alloced / 2) * sizeof (*new_leaves));
+        /* unlikely to fail though */
+        if (!leaves)
+        return FcFalse;
+        fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
+        return FcFalse;
+    }
     distance = (intptr_t) new_leaves - (intptr_t) leaves;
     if (new_leaves && distance)
     {
@@ -184,9 +203,6 @@ FcCharSetPutLeaf (FcCharSet    *fcs,
     leaves = new_leaves;
       }

-      if (!leaves || !numbers)
-      return FcFalse;
-
       fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
       fcs->numbers_offset = FcPtrToOffset (fcs, numbers);
     }


Please test if you have any testcase for that.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/fontconfig-bugs/attachments/20150605/77b01fef/attachment.html>

More information about the Fontconfig-bugs mailing list