libdraw: fix out of bounds memory access after subfont array reallocation (thanks ray)

/n/bugs/open/libdrawfont.c_buffer_overflow
http://bugs.9front.org/open/libdrawfont.c_buffer_overflow/readme

ray@raylai.com

Hi all,

In plan9port this bug keeps crashing mc when I run lc in a directory with Chinese characters. This is a diff from OpenBSD but it should apply cleanly to the various plan9 sources.

The code is basically trying to do a realloc (I guess realloc wasn't available back then?) but it copies too much from the original buffer.

Since realloc is available, just use it. If realloc isn't available outside plan9port (I haven't checked) the memmove line should be changed from:
	memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
to:
	memmove(f->subf, of, f->nsubf*sizeof *subf);

I hope this is helpful.

Ray

1 files changed, 2 insertions, 4 deletions

diff --git a/sys/src/libdraw/font.c b/sys/src/libdraw/font.c
index 60488f5a7..ef43b2ac0 100644
--- a/sys/src/libdraw/font.c
+++ b/sys/src/libdraw/font.c
@@ -216,16 +216,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname)
 			subf->age = 0;
 		}else{				/* too recent; grow instead */
 			of = f->subf;
-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
 			if(f->subf == nil){
 				f->subf = of;
 				goto Toss;
 			}
-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
-			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
 			subf = &f->subf[f->nsubf];
+			memset(subf, 0, DSUBF*sizeof *subf);
 			f->nsubf += DSUBF;
-			free(of);
 		}
 	}
 	subf->age = 0;