summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNickolai Zeldovich <nickolai@csail.mit.edu>2013-03-03 23:57:34 -0500
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-04 08:48:29 -0800
commit624508365ec3279bc74ce523d024533e062629e1 (patch)
tree4d3fe690c5d09df12a3a48a47beafb46ee1d28e2
parentf5d1208172e965fdd7fae8927bd3e29b3cc3a975 (diff)
libfontenc: setCode(): fix realloc invocation
This patch fixes two bugs in the realloc invocation in setCode(), which most likely cause memory corruption when realloc is triggered: 1. Pass *enc to realloc (which is the dynamically-allocated buffer), instead of enc (which stores a pointer to the dynamically-allocated buffer). 2. Allocate enough memory for (*encsize) shorts, instead of (*encsize) bytes; see the call to malloc just above the realloc call. Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu> Reviewed-by: Aaron Plattner <aplattner@nvidia.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/encparse.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/encparse.c b/src/encparse.c
index cbcac80..ee18b3f 100644
--- a/src/encparse.c
+++ b/src/encparse.c
@@ -426,7 +426,7 @@ setCode(unsigned from, unsigned to, unsigned row_size,
}
} else if(*encsize <= index) {
*encsize = 0x10000;
- if((newenc = realloc(enc, *encsize))==NULL)
+ if((newenc = realloc(*enc, (*encsize) * sizeof(unsigned short)))==NULL)
return 1;
*enc = newenc;
}