From e8ada07fa7dbbc88298e88a07f4b8613ec055cd8 Mon Sep 17 00:00:00 2001
From: Nickolai Zeldovich <nickolai@csail.mit.edu>
Date: Tue, 22 Jan 2013 10:03:00 -0500
Subject: XListFontsWithInfo: avoid accessing realloc'ed memory

If exactly one of the two reallocs in XListFontsWithInfo() fails, the
subsequent code accesses memory freed by the other realloc.

Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit deedeada53676ee529d700bf96fde0b29a3a1def)

Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/FontInfo.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/nx-X11/lib/X11/FontInfo.c b/nx-X11/lib/X11/FontInfo.c
index 368beebe4..fb296b8a8 100644
--- a/nx-X11/lib/X11/FontInfo.c
+++ b/nx-X11/lib/X11/FontInfo.c
@@ -90,6 +90,11 @@ XFontStruct **info)	/* RETURN */
 		    Xrealloc ((char *) flist,
 			      (unsigned) (sizeof(char *) * (size+1)));
 
+		if (tmp_finfo)
+		    finfo = tmp_finfo;
+		if (tmp_flist)
+		    flist = tmp_flist;
+
 		if ((! tmp_finfo) || (! tmp_flist)) {
 		    /* free all the memory that we allocated */
 		    for (j=(i-1); (j >= 0); j--) {
@@ -97,14 +102,10 @@ XFontStruct **info)	/* RETURN */
 			if (finfo[j].properties)
 			    Xfree((char *) finfo[j].properties);
 		    }
-		    if (tmp_flist) Xfree((char *) tmp_flist);
-		    else Xfree((char *) flist);
-		    if (tmp_finfo) Xfree((char *) tmp_finfo);
-		    else Xfree((char *) finfo);
+		    Xfree((char *) flist);
+		    Xfree((char *) finfo);
 		    goto clearwire;
 		}
-		finfo = tmp_finfo;
-		flist = tmp_flist;
 	    }
 	    else {
 		if (! (finfo = (XFontStruct *)
-- 
cgit v1.2.3