libdraw: replace hand-rolled realloc, preventing buffer overflow. - plan9port - fork of plan9port with libvec, libstr and libsdb

commit 94b38bdb722052838eb0d940c05995b870db4ea0
parent 669713d43f8a014ba481265d4c58c3fe575527b4
Author: Ray Lai <ray@raylai.com>
Date:   Wed, 18 May 2016 14:06:20 +0800

libdraw: replace hand-rolled realloc, preventing buffer overflow.

The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated.  Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.

By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.

Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>

Diffstat:
M src/libdraw/font.c  | 4 +---

1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/libdraw/font.c b/src/libdraw/font.c
@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname)
 			subf->age = 0;
 		}else{				/* too recent; grow instead */
 			of = f->subf;
-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
 			if(f->subf == nil){
 				f->subf = of;
 				goto Toss;
 			}
-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
 			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
 			subf = &f->subf[f->nsubf];
 			f->nsubf += DSUBF;
-			free(of);
 		}
 	}
 	subf->age = 0;

	plan9port fork of plan9port with libvec, libstr and libsdb
	Log \| Files \| Refs \| README \| LICENSE