[cairo-commit] src/cairo-cff-subset.c

Adrian Johnson ajohnson at kemper.freedesktop.org
Sun Mar 13 04:04:26 PDT 2011 

 src/cairo-cff-subset.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

New commits:
commit f2f65684f0c6e1a26741bf96bb9bec286457a571
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Sun Mar 13 19:30:21 2011 +1030

    cff: Fix heap corruption
    
    caused by holding a pointer into a cairo_array after a realloc
    
    https://bugs.freedesktop.org/show_bug.cgi?id=35161

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index f404412..1f4fbbb 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1905,7 +1905,8 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font)
 {
     unsigned int i;
     cairo_int_status_t status;
-    uint32_t *offset_array;
+    unsigned int offset_array;
+    uint32_t *offset_array_ptr;
     int offset_base;
     uint16_t count;
     uint8_t offset_size = 4;
@@ -1918,19 +1919,25 @@ cairo_cff_font_write_cid_fontdict (cairo_cff_font_t *font)
     status = _cairo_array_append (&font->output, &offset_size);
     if (unlikely (status))
         return status;
+
+    offset_array = _cairo_array_num_elements (&font->output);
     status = _cairo_array_allocate (&font->output,
                                     (font->num_subset_fontdicts + 1)*offset_size,
-                                    (void **) &offset_array);
+                                    (void **) &offset_array_ptr);
     if (unlikely (status))
         return status;
     offset_base = _cairo_array_num_elements (&font->output) - 1;
-    *offset_array++ = cpu_to_be32(1);
+    *offset_array_ptr = cpu_to_be32(1);
+    offset_array += sizeof(uint32_t);
     for (i = 0; i < font->num_subset_fontdicts; i++) {
         status = cff_dict_write (font->fd_dict[font->fd_subset_map[i]],
                                  &font->output);
         if (unlikely (status))
             return status;
-        *offset_array++ = cpu_to_be32(_cairo_array_num_elements (&font->output) - offset_base);
+
+	offset_array_ptr = (uint32_t *) _cairo_array_index (&font->output, offset_array);
+        *offset_array_ptr = cpu_to_be32(_cairo_array_num_elements (&font->output) - offset_base);
+	offset_array += sizeof(uint32_t);
     }
 
     return CAIRO_STATUS_SUCCESS;

More information about the cairo-commit mailing list