* src/type1/t1load.c (parse_subrs): Fix memory leak.

The `subrs' keyword might erroneously occur multiple times. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=231
2016-12-06 11:13:19 +01:00 · 2016-12-06 11:13:19 +01:00 · c0fae7da5a
parent 602be7c810
commit c0fae7da5a
2 changed files with 15 additions and 8 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2016-12-06  Werner Lemberg  <wl@gnu.org>
+
+	* src/type1/t1load.c (parse_subrs): Fix memory leak.
+
+	The `subrs' keyword might erroneously occur multiple times.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=231
+
 2016-12-01  Werner Lemberg  <wl@gnu.org>

 	[gzip] Improve building with external zlib (#49673).
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@ -1441,7 +1441,6 @@
    FT_Error   error;
    FT_Int     num_subrs;
    FT_UInt    count;
-    FT_Hash    hash = NULL;

    PSAux_Service  psaux = (PSAux_Service)face->psaux;

@ -1492,14 +1491,12 @@
                  ( parser->root.limit - parser->root.cursor ) >> 3 ));
      num_subrs = ( parser->root.limit - parser->root.cursor ) >> 3;

-      if ( !hash )
+      if ( !loader->subrs_hash )
      {
-        if ( FT_NEW( hash ) )
+        if ( FT_NEW( loader->subrs_hash ) )
          goto Fail;

-        loader->subrs_hash = hash;
-
-        error = ft_hash_num_init( hash, memory );
+        error = ft_hash_num_init( loader->subrs_hash, memory );
        if ( error )
          goto Fail;
      }
@ -1562,9 +1559,9 @@

      /* if we use a hash, the subrs index is the key, and a running */
      /* counter specified for `T1_Add_Table' acts as the value      */
-      if ( hash )
+      if ( loader->subrs_hash )
      {
-        ft_hash_num_insert( idx, count, hash, memory );
+        ft_hash_num_insert( idx, count, loader->subrs_hash, memory );
        idx = count;
      }