XListFontsWithInfo: avoid accessing realloc'ed memory

If exactly one of the two reallocs in XListFontsWithInfo() fails, the
subsequent code accesses memory freed by the other realloc.

Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit deedeada53676ee529d700bf96fde0b29a3a1def)

Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

1 files changed, 7 insertions, 6 deletions

diff --git a/nx-X11/lib/X11/FontInfo.c b/nx-X11/lib/X11/FontInfo.c
index 368beebe4..fb296b8a8 100644
--- a/nx-X11/lib/X11/FontInfo.c
+++ b/nx-X11/lib/X11/FontInfo.c
@@ -90,6 +90,11 @@ XFontStruct **info)	/* RETURN */
 		    Xrealloc ((char *) flist,
 			      (unsigned) (sizeof(char *) * (size+1)));
 
+		if (tmp_finfo)
+		    finfo = tmp_finfo;
+		if (tmp_flist)
+		    flist = tmp_flist;
+
 		if ((! tmp_finfo) || (! tmp_flist)) {
 		    /* free all the memory that we allocated */
 		    for (j=(i-1); (j >= 0); j--) {
@@ -97,14 +102,10 @@ XFontStruct **info)	/* RETURN */
 			if (finfo[j].properties)
 			    Xfree((char *) finfo[j].properties);
 		    }
-		    if (tmp_flist) Xfree((char *) tmp_flist);
-		    else Xfree((char *) flist);
-		    if (tmp_finfo) Xfree((char *) tmp_finfo);
-		    else Xfree((char *) finfo);
+		    Xfree((char *) flist);
+		    Xfree((char *) finfo);
 		    goto clearwire;
 		}
-		finfo = tmp_finfo;
-		flist = tmp_flist;
 	    }
 	    else {
 		if (! (finfo = (XFontStruct *)