diff options
| author | Tor Lillqvist <tml@iki.fi> | 2009-08-14 00:08:17 +0300 |
|---|---|---|
| committer | Behdad Esfahbod <behdad@behdad.org> | 2009-08-13 18:17:33 -0400 |
| commit | d15678127aeea96c9c8254a171c2f0af0bd7d140 (patch) | |
| tree | 67fee27ef06cb37633f9c5357b0af209cd13efb5 | |
| parent | a1b6e34a9a17a4a675bdc993aa465b92d7122376 (diff) | |
Fix heap corruption on Windows in FcEndElement()
Must not call FcStrFree() on a value returned by
FcStrBufDoneStatic(). In the Windows code don't bother with dynamic
allocation, just use a local buffer.
| -rw-r--r-- | src/fcxml.c | 43 |
1 files changed, 11 insertions, 32 deletions
diff --git a/src/fcxml.c b/src/fcxml.c index 7b7bbfd..e829422 100644 --- a/src/fcxml.c +++ b/src/fcxml.c @@ -2031,7 +2031,10 @@ FcEndElement(void *userData, const XML_Char *name) { FcConfigParse *parse = userData; FcChar8 *data; - +#ifdef _WIN32 + FcChar8 buffer[1000]; +#endif + if (!parse->pstack) return; switch (parse->pstack->element) { @@ -2050,18 +2053,10 @@ FcEndElement(void *userData, const XML_Char *name) if (strcmp (data, "CUSTOMFONTDIR") == 0) { char *p; - FcStrFree (data); - data = malloc (1000); - if (!data) - { - FcConfigMessage (parse, FcSevereError, "out of memory"); - break; - } - FcMemAlloc (FC_MEM_STRING, 1000); - if(!GetModuleFileName(NULL, data, 1000)) + data = buffer; + if (!GetModuleFileName (NULL, buffer, sizeof (buffer) - 20)) { FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed"); - FcStrFree (data); break; } p = strrchr (data, '\\'); @@ -2071,18 +2066,10 @@ FcEndElement(void *userData, const XML_Char *name) else if (strcmp (data, "APPSHAREFONTDIR") == 0) { char *p; - FcStrFree (data); - data = malloc (1000); - if (!data) - { - FcConfigMessage (parse, FcSevereError, "out of memory"); - break; - } - FcMemAlloc (FC_MEM_STRING, 1000); - if(!GetModuleFileName(NULL, data, 1000)) + data = buffer; + if (!GetModuleFileName (NULL, buffer, sizeof (buffer) - 20)) { FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed"); - FcStrFree (data); break; } p = strrchr (data, '\\'); @@ -2092,19 +2079,11 @@ FcEndElement(void *userData, const XML_Char *name) else if (strcmp (data, "WINDOWSFONTDIR") == 0) { int rc; - FcStrFree (data); - data = malloc (1000); - if (!data) - { - FcConfigMessage (parse, FcSevereError, "out of memory"); - break; - } - FcMemAlloc (FC_MEM_STRING, 1000); - rc = GetSystemWindowsDirectory (data, 800); - if (rc == 0 || rc > 800) + data = buffer; + rc = GetSystemWindowsDirectory (buffer, sizeof (buffer) - 20); + if (rc == 0 || rc > sizeof (buffer) - 20) { FcConfigMessage (parse, FcSevereError, "GetSystemWindowsDirectory failed"); - FcStrFree (data); break; } if (data [strlen (data) - 1] != '\\') |