From fdff5442a59fd2387c23e2be2658dafa39466891 Mon Sep 17 00:00:00 2001 From: Po Lu Date: Wed, 8 Mar 2023 10:19:26 +0800 Subject: [PATCH] Fix double free upon encountering invalid font * src/sfnt.c (sfnt_read_cmap_table): Don't allocate too big data. Also, free elements of (*data), not offsets into data itself. --- src/sfnt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sfnt.c b/src/sfnt.c index f5b84afa0a5..c5aeda11ff2 100644 --- a/src/sfnt.c +++ b/src/sfnt.c @@ -910,7 +910,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable, /* Second, read each encoding subtable itself. */ *data = xmalloc (cmap->num_subtables - * sizeof **subtables); + * sizeof *data); for (i = 0; i < cmap->num_subtables; ++i) { @@ -923,7 +923,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable, being unsupported.) Return now. */ for (j = 0; j < i; ++j) - xfree (data[j]); + xfree ((*data)[j]); xfree (*data); xfree (*subtables); -- 2.39.2