This patch fixes two bugs in the realloc invocation in setCode(), which most likely cause memory corruption when realloc is triggered:
1. Pass *enc to realloc (which is the dynamically-allocated buffer), instead of enc (which stores a pointer to the dynamically-allocated buffer). 2. Allocate enough memory for (*encsize) shorts, instead of (*encsize) bytes; see the call to malloc just above the realloc call. Signed-off-by: Nickolai Zeldovich <[email protected]> --- src/encparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/encparse.c b/src/encparse.c index cbcac80..ee18b3f 100644 --- a/src/encparse.c +++ b/src/encparse.c @@ -426,7 +426,7 @@ setCode(unsigned from, unsigned to, unsigned row_size, } } else if(*encsize <= index) { *encsize = 0x10000; - if((newenc = realloc(enc, *encsize))==NULL) + if((newenc = realloc(*enc, (*encsize) * sizeof(unsigned short)))==NULL) return 1; *enc = newenc; } -- 1.7.10.4 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
