From: Po Lu <luangruo@yahoo.com>
Date: Wed, 8 Mar 2023 02:19:26 +0000 (+0800)
Subject: Fix double free upon encountering invalid font
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=fdff5442a59fd2387c23e2be2658dafa39466891;p=emacs.git

Fix double free upon encountering invalid font

* src/sfnt.c (sfnt_read_cmap_table): Don't allocate too big
data.  Also, free elements of (*data), not offsets into data
itself.
---

diff --git a/src/sfnt.c b/src/sfnt.c
index f5b84afa0a5..c5aeda11ff2 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -910,7 +910,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
 
   /* Second, read each encoding subtable itself.  */
   *data = xmalloc (cmap->num_subtables
-		   * sizeof **subtables);
+		   * sizeof *data);
 
   for (i = 0; i < cmap->num_subtables; ++i)
     {
@@ -923,7 +923,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
 	     being unsupported.)  Return now.  */
 
 	  for (j = 0; j < i; ++j)
-	    xfree (data[j]);
+	    xfree ((*data)[j]);
 
 	  xfree (*data);
 	  xfree (*subtables);