From a8096dfa5965bfb1953fe829ff13eea23b4233c7 Mon Sep 17 00:00:00 2001
From: Akira TAGOH <akira@tagoh.org>
Date: Wed, 24 Jun 2015 15:46:45 +0900
Subject: [PATCH] Bug 90867 - Memory Leak during error case in fccharset

https://bugs.freedesktop.org/show_bug.cgi?id=90867
---
 src/fccharset.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/fccharset.c b/src/fccharset.c
index 6e0093f..3f17892 100644
--- a/src/fccharset.c
+++ b/src/fccharset.c
@@ -164,6 +164,14 @@ FcCharSetPutLeaf (FcCharSet	*fcs,
         unsigned int alloced = 8;
 	leaves = malloc (alloced * sizeof (*leaves));
 	numbers = malloc (alloced * sizeof (*numbers));
+	if (!leaves || !numbers)
+	{
+	    if (leaves)
+		free (leaves);
+	    if (numbers)
+		free (numbers);
+	    return FcFalse;
+	}
       }
       else
       {
@@ -172,8 +180,19 @@ FcCharSetPutLeaf (FcCharSet	*fcs,
 
 	alloced *= 2;
 	new_leaves = realloc (leaves, alloced * sizeof (*leaves));
+	if (!new_leaves)
+	    return FcFalse;
 	numbers = realloc (numbers, alloced * sizeof (*numbers));
-
+	if (!numbers)
+	{
+	    /* Revert the reallocation of leaves */
+	    leaves = realloc (new_leaves, (alloced / 2) * sizeof (*new_leaves));
+	    /* unlikely to fail though */
+	    if (!leaves)
+		return FcFalse;
+	    fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
+	    return FcFalse;
+	}
 	distance = (intptr_t) new_leaves - (intptr_t) leaves;
 	if (new_leaves && distance)
 	{
@@ -184,9 +203,6 @@ FcCharSetPutLeaf (FcCharSet	*fcs,
 	leaves = new_leaves;
       }
 
-      if (!leaves || !numbers)
-	  return FcFalse;
-
       fcs->leaves_offset = FcPtrToOffset (fcs, leaves);
       fcs->numbers_offset = FcPtrToOffset (fcs, numbers);
     }