Use _cairo_malloc instead of malloc

_cairo_malloc(0) always returns NULL, but has not been used consistently. This patch replaces many calls to malloc() with _cairo_malloc(). Fixes: fdo# 101547 CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299 Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
author: Adrian Johnson <ajohnson@redneon.com> 2017-07-08 09:28:03 +0930
committer: Bryce Harrington <bryce@osg.samsung.com> 2018-05-07 16:35:51 -0700
commit: 199823938780c8e50099b627d3e9137acba7a263 (patch)
tree: 858c70f2a9c116ed2a5ffcb05cd9d8d3fe18a4cb /src/cairo-cff-subset.c
parent: 7554822dd0b52d33ec7898e81b59e97164b00142 (diff)
download: cairo-199823938780c8e50099b627d3e9137acba7a263.tar.gz
1 files changed, 18 insertions, 18 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 13fee5058..37727eddb 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -547,7 +547,7 @@ cff_index_append_copy (cairo_array_t *index,
 
     element.length = length;
     element.is_copy = TRUE;
-    element.data = malloc (element.length);
+    element.data = _cairo_malloc (element.length);
     if (unlikely (element.data == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -610,12 +610,12 @@ cff_dict_create_operator (int            operator,
 {
     cff_dict_operator_t *op;
 
-    op = malloc (sizeof (cff_dict_operator_t));
+    op = _cairo_malloc (sizeof (cff_dict_operator_t));
     if (unlikely (op == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
     _cairo_dict_init_key (op, operator);
-    op->operand = malloc (size);
+    op->operand = _cairo_malloc (size);
     if (unlikely (op->operand == NULL)) {
         free (op);
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
@@ -716,7 +716,7 @@ cff_dict_set_operands (cairo_hash_table_t *dict,
     op = _cairo_hash_table_lookup (dict, &key.base);
     if (op != NULL) {
         free (op->operand);
-        op->operand = malloc (size);
+        op->operand = _cairo_malloc (size);
 	if (unlikely (op->operand == NULL))
 	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -870,7 +870,7 @@ cairo_cff_font_read_name (cairo_cff_font_t *font)
 		len -= 7;
 	    }
 	}
-        font->ps_name = malloc (len + 1);
+        font->ps_name = _cairo_malloc (len + 1);
         if (unlikely (font->ps_name == NULL))
             return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -1858,7 +1858,7 @@ cairo_cff_font_create_cid_fontdict (cairo_cff_font_t *font)
     cairo_status_t status;
 
     font->num_fontdicts = 1;
-    font->fd_dict = malloc (sizeof (cairo_hash_table_t *));
+    font->fd_dict = _cairo_malloc (sizeof (cairo_hash_table_t *));
     if (unlikely (font->fd_dict == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -1869,11 +1869,11 @@ cairo_cff_font_create_cid_fontdict (cairo_cff_font_t *font)
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
     }
 
-    font->fd_subset_map = malloc (sizeof (int));
+    font->fd_subset_map = _cairo_malloc (sizeof (int));
     if (unlikely (font->fd_subset_map == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
-    font->private_dict_offset = malloc (sizeof (int));
+    font->private_dict_offset = _cairo_malloc (sizeof (int));
     if (unlikely (font->private_dict_offset == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -1968,7 +1968,7 @@ cairo_cff_font_subset_font (cairo_cff_font_t  *font)
 	if (unlikely (status))
 	    return status;
     }  else {
-	font->private_dict_offset = malloc (sizeof (int));
+	font->private_dict_offset = _cairo_malloc (sizeof (int));
 	if (unlikely (font->private_dict_offset == NULL))
 	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
     }
@@ -2560,7 +2560,7 @@ cairo_cff_font_generate (cairo_cff_font_t  *font,
 
     /* If the PS name is not found, create a CairoFont-x-y name. */
     if (font->ps_name == NULL) {
-        font->ps_name = malloc (30);
+        font->ps_name = _cairo_malloc (30);
         if (unlikely (font->ps_name == NULL))
 	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -2710,7 +2710,7 @@ _cairo_cff_font_load_opentype_cff (cairo_cff_font_t  *font)
 
     font->is_opentype = TRUE;
     font->data_length = data_length;
-    font->data = malloc (data_length);
+    font->data = _cairo_malloc (data_length);
     if (unlikely (font->data == NULL))
         return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -2745,7 +2745,7 @@ _cairo_cff_font_load_cff (cairo_cff_font_t  *font)
     font->font_name = NULL;
     font->is_opentype = FALSE;
     font->data_length = data_length;
-    font->data = malloc (data_length);
+    font->data = _cairo_malloc (data_length);
     if (unlikely (font->data == NULL))
         return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -2981,7 +2981,7 @@ _cairo_cff_subset_init (cairo_cff_subset_t          *cff_subset,
     cff_subset->ascent = (double)font->ascent/font->units_per_em;
     cff_subset->descent = (double)font->descent/font->units_per_em;
 
-    cff_subset->data = malloc (length);
+    cff_subset->data = _cairo_malloc (length);
     if (unlikely (cff_subset->data == NULL)) {
 	status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	goto fail4;
@@ -3040,7 +3040,7 @@ _cairo_cff_scaled_font_is_cid_cff (cairo_scaled_font_t *scaled_font)
 	(status = backend->load_truetype_table (scaled_font, TT_TAG_CFF,
 						0, NULL, &data_length)) == CAIRO_INT_STATUS_SUCCESS)
     {
-	data = malloc (data_length);
+	data = _cairo_malloc (data_length);
 	if (unlikely (data == NULL)) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    return FALSE;
@@ -3057,7 +3057,7 @@ _cairo_cff_scaled_font_is_cid_cff (cairo_scaled_font_t *scaled_font)
 	(status = backend->load_type1_data (scaled_font,
 					    0, NULL, &data_length)) == CAIRO_INT_STATUS_SUCCESS)
     {
-	data = malloc (data_length);
+	data = _cairo_malloc (data_length);
 	if (unlikely (data == NULL)) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    return FALSE;
@@ -3130,7 +3130,7 @@ _cairo_cff_font_fallback_create (cairo_scaled_font_subset_t  *scaled_font_subset
     cairo_status_t status;
     cairo_cff_font_t *font;
 
-    font = malloc (sizeof (cairo_cff_font_t));
+    font = _cairo_malloc (sizeof (cairo_cff_font_t));
     if (unlikely (font == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -3316,7 +3316,7 @@ cairo_cff_font_fallback_generate (cairo_cff_font_t           *font,
 	if (unlikely (status))
 	    return status;
     } else {
-	font->private_dict_offset = malloc (sizeof (int));
+	font->private_dict_offset = _cairo_malloc (sizeof (int));
 	if (unlikely (font->private_dict_offset == NULL))
 	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
     }
@@ -3393,7 +3393,7 @@ _cairo_cff_fallback_init (cairo_cff_subset_t          *cff_subset,
     cff_subset->ascent = (double)type2_subset.y_max/1000;
     cff_subset->descent = (double)type2_subset.y_min/1000;
 
-    cff_subset->data = malloc (length);
+    cff_subset->data = _cairo_malloc (length);
     if (unlikely (cff_subset->data == NULL)) {
 	status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	goto fail4;
author	Adrian Johnson <ajohnson@redneon.com>	2017-07-08 09:28:03 +0930
committer	Bryce Harrington <bryce@osg.samsung.com>	2018-05-07 16:35:51 -0700
commit	199823938780c8e50099b627d3e9137acba7a263 (patch)
tree	858c70f2a9c116ed2a5ffcb05cd9d8d3fe18a4cb /src/cairo-cff-subset.c
parent	7554822dd0b52d33ec7898e81b59e97164b00142 (diff)
download	cairo-199823938780c8e50099b627d3e9137acba7a263.tar.gz