From bad92be9270c8952ca5367e6e1d48bc4d26d4fa1 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@chromium.org>
Date: Thu, 9 Dec 2021 17:06:28 -0500
Subject: [PATCH] [bdf] Fix use of uninitialized value.

In _bdf_readstream if the data contained no newline then the buffer
would continue to grow and uninitialized data read until either the
uninitialized data contained a newline or the buffer reached its
maxiumum size. The assumption was that the line was always too long and
the buffer had been filled, however this case can also happen when there
is not enough data to fill the buffer.

Correct this by properly setting the cursor to the end of the available
data, which may be different from the end of the buffer. This may still
result in one extra allocation, but only on malformed fonts.

* src/bdf/bdflib.c (_bfd_readstream): Correctly update cursor. Remove
unread set of `avail`.

Bug: https://lists.nongnu.org/archive/html/freetype-devel/2021-12/msg00001.html
---
 src/bdf/bdflib.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index b65c8a2f3..e317bdddd 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -613,7 +613,7 @@
           if ( FT_QREALLOC( buf, buf_size, new_size ) )
             goto Exit;
 
-          cursor   = (ptrdiff_t)buf_size;
+          cursor   = avail;
           buf_size = new_size;
         }
         else
@@ -623,7 +623,6 @@
           FT_MEM_MOVE( buf, buf + start, bytes );
 
           cursor = bytes;
-          avail -= bytes;
           start  = 0;
         }
         refill = 1;