If exactly one of the two reallocs in XListFontsWithInfo() fails, the subsequent code accesses memory freed by the other realloc.
Signed-off-by: Nickolai Zeldovich <[email protected]> --- src/FontInfo.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/FontInfo.c b/src/FontInfo.c index a3ab65b..97de40e 100644 --- a/src/FontInfo.c +++ b/src/FontInfo.c @@ -90,6 +90,11 @@ XFontStruct **info) /* RETURN */ Xrealloc ((char *) flist, (unsigned) (sizeof(char *) * (size+1))); + if (tmp_finfo) + finfo = tmp_finfo; + if (tmp_flist) + flist = tmp_flist; + if ((! tmp_finfo) || (! tmp_flist)) { /* free all the memory that we allocated */ for (j=(i-1); (j >= 0); j--) { @@ -97,14 +102,10 @@ XFontStruct **info) /* RETURN */ if (finfo[j].properties) Xfree((char *) finfo[j].properties); } - if (tmp_flist) Xfree((char *) tmp_flist); - else Xfree((char *) flist); - if (tmp_finfo) Xfree((char *) tmp_finfo); - else Xfree((char *) finfo); + Xfree((char *) flist); + Xfree((char *) finfo); goto clearwire; } - finfo = tmp_finfo; - flist = tmp_flist; } else { if (! (finfo = (XFontStruct *) -- 1.7.10.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
