Memory access fault in FcConfigSubstituteWithPat
There's a memory access fault in FcConfigSubstituteWithPat
in case one of the following calls to malloc
fails:
value = (FcValueList **) malloc (SIZEOF_VOID_P * nobjs);
if (!value)
{
retval = FcFalse;
goto bail1;
}
elt = (FcPatternElt **) malloc (SIZEOF_VOID_P * nobjs);
if (!elt)
{
retval = FcFalse;
goto bail1;
}
tst = (FcTest **) malloc (SIZEOF_VOID_P * nobjs);
if (!tst)
{
retval = FcFalse;
goto bail1;
}
The memory access fault is caused by the fact that in bail1
we have this:
bail1:
FamilyTableClear (&data);
But data
is initialized after the malloc
calls quoted above, thus a call to FamilyTableClear
will cause a memory access fault. I don't know how to post merge requests here so I'm just posting my fix. We just have to initialize data
before any gotos to bail1
, e.g. like this:
FamilyTableInit (&data, p); // --> I moved this line to here!
nobjs = FC_MAX_BASE_OBJECT + config->maxObjects + 2;
value = (FcValueList **) malloc (SIZEOF_VOID_P * nobjs);
if (!value)
{
retval = FcFalse;
goto bail1;
}
elt = (FcPatternElt **) malloc (SIZEOF_VOID_P * nobjs);
if (!elt)
{
retval = FcFalse;
goto bail1;
}
tst = (FcTest **) malloc (SIZEOF_VOID_P * nobjs);
if (!tst)
{
retval = FcFalse;
goto bail1;
}
if (FcDebug () & FC_DBG_EDIT)
{
printf ("FcConfigSubstitute ");
FcPatternPrint (p);
}