Fix double free upon encountering invalid font

* src/sfnt.c (sfnt_read_cmap_table): Don't allocate too big
data.  Also, free elements of (*data), not offsets into data
itself.

diff --git a/src/sfnt.c b/src/sfnt.c
index f5b84afa0a58524c5a672363549f1078ed67bb16..c5aeda11ff23082d6ce7b2a328624999eebe6cc2 100644 (file)
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -910,7 +910,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
 
   /* Second, read each encoding subtable itself.  */
   *data = xmalloc (cmap->num_subtables
-                  * sizeof **subtables);
+                  * sizeof *data);
 
   for (i = 0; i < cmap->num_subtables; ++i)
     {
@@ -923,7 +923,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
             being unsupported.)  Return now.  */
 
          for (j = 0; j < i; ++j)
-           xfree (data[j]);
+           xfree ((*data)[j]);
 
          xfree (*data);
          xfree (*subtables);