commit 94b38bdb722052838eb0d940c05995b870db4ea0
from: Ray Lai <ray@raylai.com>
via: Gleydson Soares <gsoares@gmail.com>
date: Sat Apr 08 00:06:42 2017 UTC

libdraw: replace hand-rolled realloc, preventing buffer overflow.

The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated.  Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.

By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.

Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>

commit - 669713d43f8a014ba481265d4c58c3fe575527b4
commit + 94b38bdb722052838eb0d940c05995b870db4ea0
blob - 8370606e1f0eeafbc4df22d562572e82463bd961
blob + 13bcd267e8e88efeef9877eb7e3cedbcadc199ab
--- src/libdraw/font.c
+++ src/libdraw/font.c
@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int nof
 			subf->age = 0;
 		}else{				/* too recent; grow instead */
 			of = f->subf;
-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
 			if(f->subf == nil){
 				f->subf = of;
 				goto Toss;
 			}
-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
 			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
 			subf = &f->subf[f->nsubf];
 			f->nsubf += DSUBF;
-			free(of);
 		}
 	}
 	subf->age = 0;