libdraw: replace hand-rolled realloc, preventing buffer overflow.
The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated. Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.
By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.
Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>
diff --git a/src/libdraw/font.c b/src/libdraw/font.c
index 8370606..13bcd26 100644
--- a/src/libdraw/font.c
+++ b/src/libdraw/font.c
@@ -222,16 +222,14 @@
subf->age = 0;
}else{ /* too recent; grow instead */
of = f->subf;
- f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+ f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
if(f->subf == nil){
f->subf = of;
goto Toss;
}
- memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
subf = &f->subf[f->nsubf];
f->nsubf += DSUBF;
- free(of);
}
}
subf->age = 0;