Fix memory leak (Coverity defect #2089).

Ignore script if subtable is missing (Coverity defect #2088). Fix possible null pointer dereference (Coverity defect #784) and memory leak (Coverity defects #785, #786). Don't copy FcCharSet if we're going to throw it away anyway. (Reported by Kenichi Handa). reviewed by: plam
2006-04-12 14:36:36 +00:00 · 2006-04-12 14:36:36 +00:00 · 2f02e38361
parent a56e89ab4f
commit 2f02e38361
5 changed files with 51 additions and 19 deletions
--- a/21
+++ b/21
@ -1,3 +1,24 @@
+2006-04-12  Frederic Crozat  <fcrozat@mandriva.com>
+	reviewed by: plam
+	
+	* src/fcpat.c: (FcPatternFreeze):
+	Fix memory leak (Coverity defect #2089).
+
+	* src/fcfreetype.c: (GetScriptTags):
+	Ignore script if subtable is missing (Coverity defect #2088).
+
+2006-04-12  Patrick Lam  <plam@mit.edu>
+	* src/fccfg.c (FcConfigSubstituteWithPat):
+
+	Fix possible null pointer dereference (Coverity defect #784)
+	and memory leak (Coverity defects #785, #786).
+
+2006-04-12  Patrick Lam  <plam@mit.edu>
+	* src/fcmatch.c (FcSortWalk, FcFontSetSort):
+
+	Don't copy FcCharSet if we're going to throw it away anyway.
+	(Reported by Kenichi Handa).
+
 2006-04-11  Ming Zhao  <ming@gentoo.org>
 	reviewed by: plam
 	
--- a/src/fccfg.c
+++ b/src/fccfg.c
@ -1512,7 +1512,8 @@ FcConfigSubstituteWithPat (FcConfig    *config,
 		    /*
 		     * Delete the marked value
 		     */
-		    FcConfigDel (&st[i].elt->values, thisValue);
+                    if (thisValue)
+			FcConfigDel (&st[i].elt->values, thisValue);
 		    /*
 		     * Adjust any pointers into the value list to ensure
 		     * future edits occur at the same place
@ -1567,6 +1568,7 @@ FcConfigSubstituteWithPat (FcConfig    *config,
 		FcConfigPatternAdd (p, e->field, l, FcTrue);
 		break;
 	    default:
+                FcValueListDestroy (FcValueListPtrCreateDynamic(l));
 		break;
 	    }
 	}
--- a/src/fcfreetype.c
+++ b/src/fcfreetype.c
@ -2797,13 +2797,10 @@ GetScriptTags(FT_Face face, FT_ULong tabletag, FT_ULong **stags, FT_UShort *scri

 	cur_offset = ftglue_stream_pos( stream );

-	if (( error = ftglue_stream_seek( stream, new_offset ) ))
-	    goto Fail;
+	error = ftglue_stream_seek( stream, new_offset );

 	if ( error == TT_Err_Ok )
 	    p++;
-	else if ( error != TTO_Err_Empty_Script )
-	    goto Fail;

 	(void)ftglue_stream_seek( stream, cur_offset );
    }
--- a/src/fcmatch.c
+++ b/src/fcmatch.c
@ -791,7 +791,7 @@ FcSortCompare (const void *aa, const void *ab)
 }

 static FcBool
-FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool trim)
+FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool trim, FcBool build_cs)
 {
    FcCharSet	*ncs;
    FcSortNode	*node;
@ -808,16 +808,20 @@ FcSortWalk (FcSortNode **n, int nnode, FcFontSet *fs, FcCharSet **cs, FcBool tri
 	     */
 	    if (!trim || !*cs || !FcCharSetIsSubset (ncs, *cs))
 	    {
-		if (*cs)
-		{
-		    ncs = FcCharSetUnion (ncs, *cs);
-		    if (!ncs)
-			return FcFalse;
-		    FcCharSetDestroy (*cs);
-		}
-		else
-		    ncs = FcCharSetCopy (ncs);
-		*cs = ncs;
+                if (!trim && build_cs)
+                {
+                    if (*cs)
+                    {
+                        ncs = FcCharSetUnion (ncs, *cs);
+                        if (!ncs)
+                            return FcFalse;
+                        FcCharSetDestroy (*cs);
+                    }
+                    else
+                        ncs = FcCharSetCopy (ncs);
+                    *cs = ncs;
+                }
+
 		FcPatternReference (node->pattern);
 		if (FcDebug () & FC_DBG_MATCH)
 		{
@ -986,13 +990,16 @@ FcFontSetSort (FcConfig	    *config,

    cs = 0;

-    if (!FcSortWalk (nodeps, nnodes, ret, &cs, trim))
+    if (!FcSortWalk (nodeps, nnodes, ret, &cs, trim, (csp!=0)))
 	goto bail2;

    if (csp)
 	*csp = cs;
    else
-	FcCharSetDestroy (cs);
+    {
+        if (cs)
+            FcCharSetDestroy (cs);
+    }

    free (nodes);

--- a/src/fcpat.c
+++ b/src/fcpat.c
@ -639,7 +639,7 @@ FcPatternBaseThawAll (void)
 FcPattern *
 FcPatternFreeze (FcPattern *p)
 {
-    FcPattern	*b, *n = 0;
+    FcPattern	*b, *n = 0, *freeme = 0;
    FcPatternElt *e;
    int		i;
    
@ -673,7 +673,10 @@ FcPatternFreeze (FcPattern *p)
 	(FcPatternEltU(b->elts)+i)->values = 
 	    FcValueListFreeze((FcPatternEltU(p->elts)+i)->values);
 	if (!FcValueListPtrU((FcPatternEltU(p->elts)+i)->values))
+        {
+	    freeme = b;
 	    goto bail;
+        }
    }

    if (FcPatternFindElt (p, FC_FILE))
@ -695,6 +698,8 @@ FcPatternFreeze (FcPattern *p)
    b->elts = FcPatternEltPtrCreateDynamic(0);
    FcMemFree (FC_MEM_PATELT, sizeof (FcPatternElt)*(b->num));
    b->num = -1;
+    if (freeme)
+	FcPatternDestroy (freeme);
 #ifdef DEBUG
    assert (FcPatternEqual (n, p));
 #endif