Fix heap corruption on Windows in FcEndElement()
Must not call FcStrFree() on a value returned by FcStrBufDoneStatic(). In the Windows code don't bother with dynamic allocation, just use a local buffer.
This commit is contained in:
Tor Lillqvist
Behdad Esfahbod
parent
a1b6e34a9a
commit
d15678127a
41
src/fcxml.c
41
src/fcxml.c
|
|
@ -2031,6 +2031,9 @@ FcEndElement(void *userData, const XML_Char *name)
|
||||||
{
|
{
|
||||||
FcConfigParse *parse = userData;
|
FcConfigParse *parse = userData;
|
||||||
FcChar8 *data;
|
FcChar8 *data;
|
||||||
|
#ifdef _WIN32
|
||||||
|
FcChar8 buffer[1000];
|
||||||
|
#endif
|
||||||
|
|
||||||
if (!parse->pstack)
|
if (!parse->pstack)
|
||||||
return;
|
return;
|
||||||
|
|
@ -2050,18 +2053,10 @@ FcEndElement(void *userData, const XML_Char *name)
|
||||||
if (strcmp (data, "CUSTOMFONTDIR") == 0)
|
if (strcmp (data, "CUSTOMFONTDIR") == 0)
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
FcStrFree (data);
|
data = buffer;
|
||||||
data = malloc (1000);
|
if (!GetModuleFileName (NULL, buffer, sizeof (buffer) - 20))
|
||||||
if (!data)
|
|
||||||
{
|
|
||||||
FcConfigMessage (parse, FcSevereError, "out of memory");
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
FcMemAlloc (FC_MEM_STRING, 1000);
|
|
||||||
if(!GetModuleFileName(NULL, data, 1000))
|
|
||||||
{
|
{
|
||||||
FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed");
|
FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed");
|
||||||
FcStrFree (data);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
p = strrchr (data, '\\');
|
p = strrchr (data, '\\');
|
||||||
|
|
@ -2071,18 +2066,10 @@ FcEndElement(void *userData, const XML_Char *name)
|
||||||
else if (strcmp (data, "APPSHAREFONTDIR") == 0)
|
else if (strcmp (data, "APPSHAREFONTDIR") == 0)
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
FcStrFree (data);
|
data = buffer;
|
||||||
data = malloc (1000);
|
if (!GetModuleFileName (NULL, buffer, sizeof (buffer) - 20))
|
||||||
if (!data)
|
|
||||||
{
|
|
||||||
FcConfigMessage (parse, FcSevereError, "out of memory");
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
FcMemAlloc (FC_MEM_STRING, 1000);
|
|
||||||
if(!GetModuleFileName(NULL, data, 1000))
|
|
||||||
{
|
{
|
||||||
FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed");
|
FcConfigMessage (parse, FcSevereError, "GetModuleFileName failed");
|
||||||
FcStrFree (data);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
p = strrchr (data, '\\');
|
p = strrchr (data, '\\');
|
||||||
|
|
@ -2092,19 +2079,11 @@ FcEndElement(void *userData, const XML_Char *name)
|
||||||
else if (strcmp (data, "WINDOWSFONTDIR") == 0)
|
else if (strcmp (data, "WINDOWSFONTDIR") == 0)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
FcStrFree (data);
|
data = buffer;
|
||||||
data = malloc (1000);
|
rc = GetSystemWindowsDirectory (buffer, sizeof (buffer) - 20);
|
||||||
if (!data)
|
if (rc == 0 || rc > sizeof (buffer) - 20)
|
||||||
{
|
|
||||||
FcConfigMessage (parse, FcSevereError, "out of memory");
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
FcMemAlloc (FC_MEM_STRING, 1000);
|
|
||||||
rc = GetSystemWindowsDirectory (data, 800);
|
|
||||||
if (rc == 0 || rc > 800)
|
|
||||||
{
|
{
|
||||||
FcConfigMessage (parse, FcSevereError, "GetSystemWindowsDirectory failed");
|
FcConfigMessage (parse, FcSevereError, "GetSystemWindowsDirectory failed");
|
||||||
FcStrFree (data);
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (data [strlen (data) - 1] != '\\')
|
if (data [strlen (data) - 1] != '\\')
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue