From 3290009f5b67843950a3491a2b84fe48764c33c0 Mon Sep 17 00:00:00 2001 From: Kevin Tardif Date: Tue, 30 Oct 2012 00:27:27 -0400 Subject: [PATCH] type1-subset, cff-subset: Plugged 2 memory leaks - _cairo_type1_font_subset_fini doesn't free font->cleartext - _cairo_cff_font_create can exit without freeing font->font_name and/or font->data; _cairo_cff_font_load_opentype_cff is called to allocate font_name, then _cairo_cff_font_load_cff is called to allocate font->data, then _cairo_cff_font_load_cff's return status is checked and if it failed, it jumps to fail1. This can cause font_name to leak since the fail1 target only frees the font variable. In addition, _cairo_cff_font_load_cff can fail -after- allocating data, and then data won't be freed either. diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c index e3040fc..bd8d5b5 100644 --- a/src/cairo-cff-subset.c +++ b/src/cairo-cff-subset.c @@ -2787,7 +2787,7 @@ _cairo_cff_font_create (cairo_scaled_font_subset_t *scaled_font_subset, if (backend->is_synthetic && backend->is_synthetic (scaled_font_subset->scaled_font)) return CAIRO_INT_STATUS_UNSUPPORTED; - font = malloc (sizeof (cairo_cff_font_t)); + font = calloc (1, sizeof (cairo_cff_font_t)); if (unlikely (font == NULL)) return _cairo_error (CAIRO_STATUS_NO_MEMORY); @@ -2862,11 +2862,11 @@ fail4: fail3: free (font->subset_font_name); fail2: - free (font->data); - free (font->font_name); free (font->ps_name); _cairo_array_fini (&font->output); fail1: + free (font->data); + free (font->font_name); free (font); return status; diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c index 786055a..d285ccc 100644 --- a/src/cairo-type1-subset.c +++ b/src/cairo-type1-subset.c @@ -1667,6 +1667,8 @@ _cairo_type1_font_subset_fini (cairo_type1_font_subset_t *font) free (font->subset_index_to_glyphs); + free (font->cleartext); + return status; } -- 1.8.0