libdraw: replace hand-rolled realloc, preventing buffer overflow. The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large. Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf (newsize) is mallocated. Unfortunately memmove() reads (newsize) bytes from the original (oldsize) buffer, causing a buffer overflow. By switching to realloc(), we don't need to do buffer size calculation, memmoving, and freeing of the original buffer. Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd Reviewed-on: https://plan9port-review.googlesource.com/1520 Reviewed-by: Gleydson Soares <gsoares@gmail.com>

commit: 94b38bdb722052838eb0d940c05995b870db4ea0 [log] [tgz]
author: Ray Lai <ray@raylai.com> Wed May 18 14:06:20 2016 +0800
committer: Gleydson Soares <gsoares@gmail.com> Sat Apr 08 00:06:42 2017 +0000
tree: caa3e66b9f3395c55385c5e201ac5ad336b101ef
parent: 669713d43f8a014ba481265d4c58c3fe575527b4 [diff]
diff --git a/src/libdraw/font.c b/src/libdraw/font.c
index 8370606..13bcd26 100644
--- a/src/libdraw/font.c
+++ b/src/libdraw/font.c

@@ -222,16 +222,14 @@
 			subf->age = 0;
 		}else{				/* too recent; grow instead */
 			of = f->subf;
-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
 			if(f->subf == nil){
 				f->subf = of;
 				goto Toss;
 			}
-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
 			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
 			subf = &f->subf[f->nsubf];
 			f->nsubf += DSUBF;
-			free(of);
 		}
 	}
 	subf->age = 0;
commit	94b38bdb722052838eb0d940c05995b870db4ea0	[log] [tgz]
author	Ray Lai <ray@raylai.com>	Wed May 18 14:06:20 2016 +0800
committer	Gleydson Soares <gsoares@gmail.com>	Sat Apr 08 00:06:42 2017 +0000
tree	caa3e66b9f3395c55385c5e201ac5ad336b101ef
parent	669713d43f8a014ba481265d4c58c3fe575527b4 [diff]