From 624508365ec3279bc74ce523d024533e062629e1 Mon Sep 17 00:00:00 2001
From: Nickolai Zeldovich <nickolai@csail.mit.edu>
Date: Sun, 3 Mar 2013 23:57:34 -0500
Subject: libfontenc: setCode(): fix realloc invocation

This patch fixes two bugs in the realloc invocation in setCode(), which
most likely cause memory corruption when realloc is triggered:

1. Pass *enc to realloc (which is the dynamically-allocated buffer),
   instead of enc (which stores a pointer to the dynamically-allocated
   buffer).

2. Allocate enough memory for (*encsize) shorts, instead of (*encsize)
   bytes; see the call to malloc just above the realloc call.

Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/encparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/encparse.c b/src/encparse.c
index cbcac80..ee18b3f 100644
--- a/src/encparse.c
+++ b/src/encparse.c
@@ -426,7 +426,7 @@ setCode(unsigned from, unsigned to, unsigned row_size,
         }
     } else if(*encsize <= index) {
         *encsize = 0x10000;
-        if((newenc = realloc(enc, *encsize))==NULL)
+        if((newenc = realloc(*enc, (*encsize) * sizeof(unsigned short)))==NULL)
             return 1;
         *enc = newenc;
     }
-- 
cgit v1.2.3