diff options
| author | Uli Schlachter <psychon@znc.in> | 2021-06-26 14:03:34 +0200 |
|---|---|---|
| committer | Uli Schlachter <psychon@znc.in> | 2021-06-26 14:03:34 +0200 |
| commit | fc1d6caa8c1a161f201ea6dd76eae7ab797713f2 (patch) | |
| tree | 3f0d9d82506d9ec95074f21c9eba502bf5d61acd /src/cairo-cff-subset.c | |
| parent | 716d144cbdcb1b0512bb81e9e53a36551640d5dc (diff) | |
| download | cairo-fc1d6caa8c1a161f201ea6dd76eae7ab797713f2.tar.gz | |
Fix memory leak in cairo_cff_font_read_cid_fontdict
The function cairo_cff_font_read_cid_fontdict() has a local variable
"cairo_array_t index". This array is first filled with data from the
font with cff_index_read(). Later in this function, each resulting entry
is given to cff_dict_read(). Nothing else is done with the array.
Thus, nothing can keep a reference to "index" and thus this array has to
be finalised at the end of the function to avoid a memory leak.
This commit does that by falling through to the call to cff_index_fini()
that is already there in the error case. This function checks for each
element if its ->is_copy is true and then frees the data. However,
cff_index_read() only creates elements with ->is_copy = FALSE, thus this
does not do anything. At the end, this calls _cairo_array_fini() which
frees the array's memory.
Fixes the following memory leak according to valgrind:
24 bytes in 1 blocks are definitely lost in loss record 173 of 490
at 0x48386AF: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x483ADE7: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4A5ECC3: _cairo_array_grow_by (cairo-array.c:115)
by 0x4A5EEEE: _cairo_array_allocate (cairo-array.c:317)
by 0x4A5EE95: _cairo_array_append_multiple (cairo-array.c:288)
by 0x4A5EE6B: _cairo_array_append (cairo-array.c:265)
by 0x4AFB12E: cff_index_read (cairo-cff-subset.c:438)
by 0x4AFC280: cairo_cff_font_read_cid_fontdict (cairo-cff-subset.c:1022)
by 0x4AFCD42: cairo_cff_font_read_top_dict (cairo-cff-subset.c:1232)
by 0x4AFD145: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4AFFDC0: cairo_cff_font_generate (cairo-cff-subset.c:2583)
by 0x4B00D71: _cairo_cff_subset_init (cairo-cff-subset.c:2975)
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30650
Signed-off-by: Uli Schlachter <psychon@znc.in>
Diffstat (limited to 'src/cairo-cff-subset.c')
| -rw-r--r-- | src/cairo-cff-subset.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index 8548ae3fe..be37724b4 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -1108,7 +1108,7 @@ cairo_cff_font_read_cid_fontdict (cairo_cff_font_t *font, unsigned char *ptr) goto fail; } - return CAIRO_STATUS_SUCCESS; + status = CAIRO_STATUS_SUCCESS; fail: cff_index_fini (&index); |