libfs: Changes to 'upstream-unstable'
autogen.sh | 4
configure.ac | 3
src/FSFontInfo.c | 235 +++++++++++++++++--------------------------------------
src/FSFtNames.c | 10 +-
src/FSGetCats.c | 7 -
src/FSListCats.c | 11 +-
src/FSListExt.c | 8 -
src/FSOpenServ.c | 37 +++-----
src/FSQGlyphs.c | 19 ++--
src/FSQXExt.c | 7 -
src/FSQXInfo.c | 7 -
src/FSlibInt.c | 10 +-
src/Makefile.am | 4
test/Makefile.am | 2
14 files changed, 137 insertions(+), 227 deletions(-)
New commits:
commit 9d1458e02fe8dcac68b32917c9b10fa49d7161e7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Tue May 28 17:17:40 2013 -0700
libFS 1.0.5
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index d062381..b00749f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libFS], [1.0.4],
+AC_INIT([libFS], [1.0.5],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libFS])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 26dc23446c2e7818fdebfb46e101bac4883df07e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun Apr 14 09:07:32 2013 -0700
Sign extension issue and integer overflow in FSOpenServer() [CVE-2013-1996]
> altlen = (int) *ad++; <-- if char is 0xff, will sign extend to int (0xffffffff == -1)
> alts[i].name = (char *) FSmalloc(altlen + 1); <-- -1 + 1 == 0
> ...
> memmove(alts[i].name, ad, altlen); <-- memory corruption
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c
index f1a6157..15a657a 100644
--- a/src/FSOpenServ.c
+++ b/src/FSOpenServ.c
@@ -111,10 +111,10 @@ FSOpenServer(const char *server)
char *setup = NULL;
fsConnSetupAccept conn;
char *auth_data = NULL;
- char *alt_data = NULL,
+ unsigned char *alt_data = NULL,
*ad;
AlternateServer *alts = NULL;
- int altlen;
+ unsigned int altlen;
char *vendor_string;
unsigned long setuplength;
@@ -157,7 +157,7 @@ FSOpenServer(const char *server)
setuplength = prefix.alternate_len << 2;
if (setuplength > (SIZE_MAX>>2)
- || (alt_data = (char *)
+ || (alt_data = (unsigned char *)
(setup = FSmalloc(setuplength))) == NULL) {
goto fail;
}
@@ -176,7 +176,7 @@ FSOpenServer(const char *server)
}
for (i = 0; i < prefix.num_alternates; i++) {
alts[i].subset = (Bool) *ad++;
- altlen = (int) *ad++;
+ altlen = (unsigned int) *ad++;
alts[i].name = FSmalloc(altlen + 1);
if (!alts[i].name) {
while (--i) {
commit f6030dd569094fb29720a4bf54aec784b1edcac5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 21:43:40 2013 -0700
Get rid of more duplication in error cleanup code in FSListFontsWithXInfo
Also get rely on free() to handle null pointers in cleanup code instead
of checking each one ourselves.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c
index 2abff4f..b51e043 100644
--- a/src/FSFontInfo.c
+++ b/src/FSFontInfo.c
@@ -78,6 +78,7 @@ FSListFontsWithXInfo(
fsPropInfo local_pi;
fsPropOffset local_po;
Status status;
+ Bool eat_data = True;
GetReq(ListFontsWithXInfo, req);
req->maxNames = maxNames;
@@ -101,26 +102,8 @@ FSListFontsWithXInfo(
SIZEOF(fsGenericReply)) >> 2), fsFalse);
}
if (!status) {
- for (j = (i - 1); j >= 0; j--) {
- FSfree(fhdr[j]);
- FSfree(pi[j]);
- FSfree(po[j]);
- FSfree(pd[j]);
- FSfree(flist[j]);
- }
- if (flist)
- FSfree(flist);
- if (fhdr)
- FSfree(fhdr);
- if (pi)
- FSfree(pi);
- if (po)
- FSfree(po);
- if (pd)
- FSfree(pd);
-
- SyncHandle();
- return (char **) NULL;
+ eat_data = False;
+ goto badmem;
}
if (reply.nameLength == 0) /* got last reply in version 1 */
break;
@@ -148,30 +131,16 @@ FSListFontsWithXInfo(
ResizeArray(po, FSPropOffset)
ResizeArray(pd, unsigned char)
} else {
- if (!(fhdr = FSmalloc(sizeof(FSXFontInfoHeader *) * size)))
- goto clearwire;
- if (!(flist = FSmalloc(sizeof(char *) * size))) {
- FSfree(fhdr);
- goto clearwire;
- }
- if (!(pi = FSmalloc(sizeof(FSPropInfo *) * size))) {
- FSfree(fhdr);
- FSfree(flist);
- goto clearwire;
- }
- if (!(po = FSmalloc(sizeof(FSPropOffset *) * size))) {
- FSfree(fhdr);
- FSfree(flist);
- FSfree(pi);
- goto clearwire;
- }
- if (!(pd = FSmalloc(sizeof(unsigned char *) * size))) {
- FSfree(fhdr);
- FSfree(flist);
- FSfree(pi);
- FSfree(po);
- goto clearwire;
+#define InitArray(var, type) \
+ if ((var = FSmalloc(sizeof(type *) * size)) == NULL) { \
+ goto badmem; \
}
+
+ InitArray(fhdr, FSXFontInfoHeader)
+ InitArray(flist, char)
+ InitArray(pi, FSPropInfo)
+ InitArray(po, FSPropOffset)
+ InitArray(pd, unsigned char)
}
}
fhdr[i] = FSmalloc(sizeof(FSXFontInfoHeader));
@@ -182,45 +151,33 @@ FSListFontsWithXInfo(
/* alloc space for the name */
flist[i] = FSmalloc(reply.nameLength + 1);
+ if (!flist[i])
+ goto cleanfhdr;
if (FSProtocolVersion(svr) == 1)
{
/* get the name */
- if (!flist[i]) {
- nbytes = (reply.nameLength + 3) & ~3;
- _FSEatData(svr, (unsigned long) nbytes);
- goto badmem;
- }
_FSReadPad(svr, flist[i], (long) reply.nameLength);
flist[i][reply.nameLength] = '\0';
}
pi[i] = FSmalloc(sizeof(FSPropInfo));
- if (!pi[i]) {
- FSfree(fhdr[i]);
- goto badmem;
- }
+ if (!pi[i])
+ goto cleanflist;
_FSReadPad(svr, (char *) &local_pi, SIZEOF(fsPropInfo));
pi[i]->num_offsets = local_pi.num_offsets;
pi[i]->data_len = local_pi.data_len;
#if SIZE_MAX <= UINT_MAX
if (pi[i]->num_offsets > SIZE_MAX / sizeof(FSPropOffset))
- goto badmem;
+ goto cleanpi;
#endif
po[i] = FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
- if (!po[i]) {
- FSfree(fhdr[i]);
- FSfree(pi[i]);
- goto badmem;
- }
+ if (!po[i])
+ goto cleanpi;
pd[i] = FSmalloc(pi[i]->data_len);
- if (!pd[i]) {
- FSfree(fhdr[i]);
- FSfree(pi[i]);
- FSfree(po[i]);
- goto badmem;
- }
+ if (!pd[i])
+ goto cleanpo;
/* get offsets */
for (j=0; j<pi[i]->num_offsets; j++)
{
@@ -241,11 +198,6 @@ FSListFontsWithXInfo(
if (FSProtocolVersion(svr) != 1)
{
/* get the name */
- if (!flist[i]) {
- nbytes = (reply.nameLength + 3) & ~3;
- _FSEatData(svr, (unsigned long) nbytes);
- goto badmem;
- }
_FSRead(svr, flist[i], (long) reply.nameLength);
flist[i][reply.nameLength] = '\0';
@@ -254,7 +206,7 @@ FSListFontsWithXInfo(
}
/* avoid integer overflow */
if (i > INT_MAX - 1) {
- goto badmem;
+ goto cleanpd;
}
}
*info = fhdr;
@@ -265,6 +217,18 @@ FSListFontsWithXInfo(
SyncHandle();
return flist;
+/* Error cleanup for when we're partway through filling in item #i in arrays */
+cleanpd:
+ FSfree(pd[i]);
+cleanpo:
+ FSfree(po[i]);
+cleanpi:
+ FSfree(pi[i]);
+cleanflist:
+ FSfree(flist[i]);
+cleanfhdr:
+ FSfree(fhdr[i]);
+/* Error cleanup for all previously filled in items in the arrays */
badmem:
for (j = (i - 1); j >= 0; j--) {
FSfree(pi[j]);
@@ -273,29 +237,25 @@ badmem:
FSfree(flist[j]);
FSfree(fhdr[j]);
}
- if (flist)
- FSfree(flist);
- if (fhdr)
- FSfree(fhdr);
- if (pi)
- FSfree(pi);
- if (po)
- FSfree(po);
- if (pd)
- FSfree(pd);
+ FSfree(flist);
+ FSfree(fhdr);
+ FSfree(pi);
+ FSfree(po);
+ FSfree(pd);
+ if (eat_data) {
+ do {
+ fsPropInfo ti;
-clearwire:
- do {
- fsPropInfo ti;
-
- _FSEatData(svr, (reply.nameLength + 3) & ~3);
- _FSReadPad(svr, (char *) &ti, SIZEOF(fsPropInfo));
- _FSEatData(svr, (SIZEOF(fsPropOffset) * ti.num_offsets));
- _FSEatData(svr, ti.data_len);
- } while (_FSReply(svr, (fsReply *) & reply,
- ((SIZEOF(fsListFontsWithXInfoReply)
- - SIZEOF(fsGenericReply)) >> 2), fsFalse) && (reply.nameLength != 0));
+ _FSEatData(svr, (reply.nameLength + 3) & ~3);
+ _FSReadPad(svr, (char *) &ti, SIZEOF(fsPropInfo));
+ _FSEatData(svr, (SIZEOF(fsPropOffset) * ti.num_offsets));
+ _FSEatData(svr, ti.data_len);
+ } while (_FSReply(svr, (fsReply *) &reply,
+ ((SIZEOF(fsListFontsWithXInfoReply)
+ - SIZEOF(fsGenericReply)) >> 2), fsFalse)
+ && (reply.nameLength != 0));
+ }
SyncHandle();
return (char **) NULL;
}
commit 1f260bfdcb8d83d6c21db70ad6ed0fa94e5f5abf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 20:55:36 2013 -0700
Avoid accessing freed memory on realloc failure in FSListFontsWithXInfo
Since we realloc 5 things in a row, and then check for failure, it's
quite possible one of our old pointers is now pointing to something
completely different, so instead update the pointers as we successfully
realloc them and then jump to the normal error processing cleanup if
one fails.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c
index 0b71719..2abff4f 100644
--- a/src/FSFontInfo.c
+++ b/src/FSFontInfo.c
@@ -134,52 +134,19 @@ FSListFontsWithXInfo(
goto badmem;
if (fhdr) {
- FSXFontInfoHeader **tmp_fhdr =
- FSrealloc(fhdr, sizeof(FSXFontInfoHeader *) * size);
- char **tmp_flist =
- FSrealloc(flist, sizeof(char *) * size);
- FSPropInfo **tmp_pi =
- FSrealloc(pi, sizeof(FSPropInfo *) * size);
- FSPropOffset **tmp_po =
- FSrealloc(po, sizeof(FSPropOffset *) * size);
- unsigned char **tmp_pd =
- FSrealloc(pd, sizeof(unsigned char *) * size);
-
- if (!tmp_fhdr || !tmp_flist || !tmp_pi || !tmp_po || !tmp_pd) {
- for (j = (i - 1); j >= 0; j--) {
- FSfree(flist[j]);
- FSfree(fhdr[j]);
- FSfree(pi[j]);
- FSfree(po[j]);
- FSfree(pd[j]);
- }
- if (tmp_flist)
- FSfree(tmp_flist);
- else
- FSfree(flist);
- if (tmp_fhdr)
- FSfree(tmp_fhdr);
- else
- FSfree(fhdr);
- if (tmp_pi)
- FSfree(tmp_pi);
- else
- FSfree(pi);
- if (tmp_po)
- FSfree(tmp_po);
- else
- FSfree(po);
- if (tmp_pd)
- FSfree(tmp_pd);
- else
- FSfree(pd);
- goto clearwire;
+#define ResizeArray(var, type) { \
+ type **tmp = FSrealloc(var, sizeof(type *) * size); \
+ if (tmp) \
+ var = tmp; \
+ else \
+ goto badmem; \
}
- fhdr = tmp_fhdr;
- flist = tmp_flist;
- pi = tmp_pi;
- po = tmp_po;
- pd = tmp_pd;
+
+ ResizeArray(fhdr, FSXFontInfoHeader)
+ ResizeArray(flist, char)
+ ResizeArray(pi, FSPropInfo)
+ ResizeArray(po, FSPropOffset)
+ ResizeArray(pd, unsigned char)
} else {
if (!(fhdr = FSmalloc(sizeof(FSXFontInfoHeader *) * size)))
goto clearwire;
commit 3022dfdcdac08a4950695ded9f372e845f2be008
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 19:04:22 2013 -0700
Avoid reading outside bounds when _FSReply receives an Error response
Upon receiving a response, _FSReply copies the first 8 bytes into *rep
and then looks at them to determine what type of response. If it's an
error packet, it then converts to an error struct and reads the rest,
but it was copying 16 bytes out of *rep to begin with, due to sloppy
casting. Since we immediately overwrite the second 8 bytes with the
data coming off the wire, this isn't horrible, but it really freaks out
static analysis and memory debugging tools.
Fixes parfait 1.1 warning:
Error: Buffer overrun
Read Outside Array Bounds in STD C function: Read outside array bounds in call to llvm.memcpy.p0i8.p0i8.i64. Buffer ((char*)((union fsError*)rep)) of size ??? is read at an offset of 16
size(((char*)((union fsError*)rep))) is 8, 16 is 16
at line 751 of src/FSlibInt.c in function '_FSReply'.
called at line 67 of src/FSSync.c in function 'FSSync' with rep = ((union fsReply*)&rep).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSlibInt.c b/src/FSlibInt.c
index 0c24f89..96c5e62 100644
--- a/src/FSlibInt.c
+++ b/src/FSlibInt.c
@@ -748,7 +748,8 @@ _FSReply(
unsigned long serial;
long err_data;
- err = *(fsError *) rep;
+ /* copy in the part we already read off the wire */
+ memcpy(&err, rep, SIZEOF(fsReply));
/* read the rest of the error */
_FSRead(svr, (char *) &err + SIZEOF(fsReply),
(long) (SIZEOF(fsError) - SIZEOF(fsReply)));
commit 932131874109931bb6d50acc47ac94e51a2353de
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 18:54:35 2013 -0700
Use NULL instead of 0 for null pointers
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c
index bfeeb65..0b71719 100644
--- a/src/FSFontInfo.c
+++ b/src/FSFontInfo.c
@@ -68,10 +68,10 @@ FSListFontsWithXInfo(
int i,
j;
size_t size = 0;
- FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
- FSPropInfo **pi = (FSPropInfo **) 0;
- FSPropOffset **po = (FSPropOffset **) 0;
- unsigned char **pd = (unsigned char **) 0;
+ FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) NULL;
+ FSPropInfo **pi = (FSPropInfo **) NULL;
+ FSPropOffset **po = (FSPropOffset **) NULL;
+ unsigned char **pd = (unsigned char **) NULL;
char **flist = NULL;
fsListFontsWithXInfoReply reply;
fsListFontsWithXInfoReq *req;
diff --git a/src/FSFtNames.c b/src/FSFtNames.c
index f884d75..1cac9d4 100644
--- a/src/FSFtNames.c
+++ b/src/FSFtNames.c
@@ -77,7 +77,7 @@ FSListFonts(
_FSSend(svr, pattern, nbytes);
if (!_FSReply(svr, (fsReply *) & rep,
(SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
- return (char **) 0;
+ return (char **) NULL;
if (rep.nFonts
#if (SIZE_MAX >> 2) <= UINT_MAX
diff --git a/src/FSListCats.c b/src/FSListCats.c
index 0135792..7987f79 100644
--- a/src/FSListCats.c
+++ b/src/FSListCats.c
@@ -77,7 +77,7 @@ FSListCatalogues(
_FSSend(svr, pattern, nbytes);
if (!_FSReply(svr, (fsReply *) & rep,
(SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
- return (char **) 0;
+ return (char **) NULL;
if (rep.num_catalogues
#if (SIZE_MAX >> 2) <= UINT_MAX
commit 90b9754da977cb6804da4c38711ff33db772a9ca
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 18:30:24 2013 -0700
Get rid of unnecessary casts in FSfree calls
No need to cast all other pointers to char *, since C89 free takes
any type of pointer. Casting all of them just hides errors if you
try to free something that's not really a pointer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c
index fcc91ea..bfeeb65 100644
--- a/src/FSFontInfo.c
+++ b/src/FSFontInfo.c
@@ -102,22 +102,22 @@ FSListFontsWithXInfo(
}
if (!status) {
for (j = (i - 1); j >= 0; j--) {
- FSfree((char *) fhdr[j]);
- FSfree((char *) pi[j]);
- FSfree((char *) po[j]);
- FSfree((char *) pd[j]);
+ FSfree(fhdr[j]);
+ FSfree(pi[j]);
+ FSfree(po[j]);
+ FSfree(pd[j]);
FSfree(flist[j]);
}
if (flist)
- FSfree((char *) flist);
+ FSfree(flist);
if (fhdr)
- FSfree((char *) fhdr);
+ FSfree(fhdr);
if (pi)
- FSfree((char *) pi);
+ FSfree(pi);
if (po)
- FSfree((char *) po);
+ FSfree(po);
if (pd)
- FSfree((char *) pd);
+ FSfree(pd);
SyncHandle();
return (char **) NULL;
@@ -147,32 +147,32 @@ FSListFontsWithXInfo(
if (!tmp_fhdr || !tmp_flist || !tmp_pi || !tmp_po || !tmp_pd) {
for (j = (i - 1); j >= 0; j--) {
- FSfree((char *) flist[j]);
- FSfree((char *) fhdr[j]);
- FSfree((char *) pi[j]);
- FSfree((char *) po[j]);
- FSfree((char *) pd[j]);
+ FSfree(flist[j]);
+ FSfree(fhdr[j]);
+ FSfree(pi[j]);
+ FSfree(po[j]);
+ FSfree(pd[j]);
}
if (tmp_flist)
- FSfree((char *) tmp_flist);
+ FSfree(tmp_flist);
else
- FSfree((char *) flist);
+ FSfree(flist);
if (tmp_fhdr)
- FSfree((char *) tmp_fhdr);
+ FSfree(tmp_fhdr);
else
- FSfree((char *) fhdr);
+ FSfree(fhdr);
if (tmp_pi)
- FSfree((char *) tmp_pi);
+ FSfree(tmp_pi);
else
- FSfree((char *) pi);
+ FSfree(pi);
if (tmp_po)
- FSfree((char *) tmp_po);
+ FSfree(tmp_po);
else
- FSfree((char *) po);
+ FSfree(po);
if (tmp_pd)
- FSfree((char *) tmp_pd);
+ FSfree(tmp_pd);
else
- FSfree((char *) pd);
+ FSfree(pd);
goto clearwire;
}
fhdr = tmp_fhdr;
@@ -184,25 +184,25 @@ FSListFontsWithXInfo(
if (!(fhdr = FSmalloc(sizeof(FSXFontInfoHeader *) * size)))
goto clearwire;
if (!(flist = FSmalloc(sizeof(char *) * size))) {
- FSfree((char *) fhdr);
+ FSfree(fhdr);
goto clearwire;
}
if (!(pi = FSmalloc(sizeof(FSPropInfo *) * size))) {
- FSfree((char *) fhdr);
- FSfree((char *) flist);
+ FSfree(fhdr);
+ FSfree(flist);
goto clearwire;
}
if (!(po = FSmalloc(sizeof(FSPropOffset *) * size))) {
- FSfree((char *) fhdr);
- FSfree((char *) flist);
- FSfree((char *) pi);
+ FSfree(fhdr);
+ FSfree(flist);
+ FSfree(pi);
goto clearwire;
}
if (!(pd = FSmalloc(sizeof(unsigned char *) * size))) {
- FSfree((char *) fhdr);
- FSfree((char *) flist);
- FSfree((char *) pi);
- FSfree((char *) po);
+ FSfree(fhdr);
+ FSfree(flist);
+ FSfree(pi);
+ FSfree(po);
goto clearwire;
}
}
@@ -229,7 +229,7 @@ FSListFontsWithXInfo(
pi[i] = FSmalloc(sizeof(FSPropInfo));
if (!pi[i]) {
- FSfree((char *) fhdr[i]);
+ FSfree(fhdr[i]);
goto badmem;
}
_FSReadPad(svr, (char *) &local_pi, SIZEOF(fsPropInfo));
@@ -243,15 +243,15 @@ FSListFontsWithXInfo(
po[i] = FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
if (!po[i]) {
- FSfree((char *) fhdr[i]);
- FSfree((char *) pi[i]);
+ FSfree(fhdr[i]);
+ FSfree(pi[i]);
goto badmem;
}
pd[i] = FSmalloc(pi[i]->data_len);
if (!pd[i]) {
- FSfree((char *) fhdr[i]);
- FSfree((char *) pi[i]);
- FSfree((char *) po[i]);
+ FSfree(fhdr[i]);
+ FSfree(pi[i]);
+ FSfree(po[i]);
goto badmem;
}
/* get offsets */
@@ -300,22 +300,22 @@ FSListFontsWithXInfo(
badmem:
for (j = (i - 1); j >= 0; j--) {
- FSfree((char *) pi[j]);
- FSfree((char *) po[j]);
- FSfree((char *) pd[j]);
+ FSfree(pi[j]);
+ FSfree(po[j]);
+ FSfree(pd[j]);
FSfree(flist[j]);
- FSfree((char *) fhdr[j]);
+ FSfree(fhdr[j]);
}
if (flist)
- FSfree((char *) flist);
+ FSfree(flist);
if (fhdr)
- FSfree((char *) fhdr);
+ FSfree(fhdr);
if (pi)
- FSfree((char *) pi);
+ FSfree(pi);
if (po)
- FSfree((char *) po);
+ FSfree(po);
if (pd)
- FSfree((char *) pd);
+ FSfree(pd);
clearwire:
diff --git a/src/FSFtNames.c b/src/FSFtNames.c
index 470c176..f884d75 100644
--- a/src/FSFtNames.c
+++ b/src/FSFtNames.c
@@ -91,7 +91,7 @@ FSListFonts(
if ((!flist) || (!c)) {
if (flist)
- FSfree((char *) flist);
+ FSfree(flist);
if (c)
FSfree(c);
_FSEatData(svr, (unsigned long) rlen);
@@ -122,7 +122,7 @@ int FSFreeFontNames(char **list)
{
if (list) {
FSfree(list[0] - 1);
- FSfree((char *) list);
+ FSfree(list);
}
return 1;
}
diff --git a/src/FSGetCats.c b/src/FSGetCats.c
index e009add..75f8c36 100644
--- a/src/FSGetCats.c
+++ b/src/FSGetCats.c
@@ -84,7 +84,7 @@ FSGetCatalogues(
c = FSmalloc(rlen + 1);
if ((!list) || (!c)) {
if (list)
- FSfree((char *) list);
+ FSfree(list);
if (c)
FSfree(c);
_FSEatData(svr, (unsigned long) rlen);
diff --git a/src/FSListCats.c b/src/FSListCats.c
index d27f211..0135792 100644
--- a/src/FSListCats.c
+++ b/src/FSListCats.c
@@ -91,7 +91,7 @@ FSListCatalogues(
if ((!clist) || (!c)) {
if (clist)
- FSfree((char *) clist);
+ FSfree(clist);
if (c)
FSfree(c);
_FSEatData(svr, (unsigned long) rlen);
@@ -122,7 +122,7 @@ int FSFreeCatalogues(char **list)
{
if (list) {
FSfree(list[0] - 1);
- FSfree((char *) list);
+ FSfree(list);
}
return 1;
}
diff --git a/src/FSListExt.c b/src/FSListExt.c
index ca4254e..c127003 100644
--- a/src/FSListExt.c
+++ b/src/FSListExt.c
@@ -84,7 +84,7 @@ FSListExtensions(
c = FSmalloc(rlen + 1);
if ((!list) || (!c)) {
if (list)
- FSfree((char *) list);
+ FSfree(list);
if (c)
FSfree(c);
_FSEatData(svr, (unsigned long) rlen);
@@ -115,7 +115,7 @@ int FSFreeExtensionList(char **list)
{
if (list != NULL) {
FSfree(list[0] - 1);
- FSfree((char *) list);
+ FSfree(list);
}
return 1;
}
diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c
index 31f4c86..f1a6157 100644
--- a/src/FSOpenServ.c
+++ b/src/FSOpenServ.c
@@ -80,7 +80,7 @@ void _FSFreeServerStructure(FSServer *svr)
if (svr->buffer)
FSfree(svr->buffer);
- FSfree((char *) svr);
+ FSfree(svr);
}
static
@@ -180,7 +180,7 @@ FSOpenServer(const char *server)
alts[i].name = FSmalloc(altlen + 1);
if (!alts[i].name) {
while (--i) {
- FSfree((char *) alts[i].name);
+ FSfree(alts[i].name);
}
goto fail;
}
@@ -188,7 +188,7 @@ FSOpenServer(const char *server)
alts[i].name[altlen] = '\0';
ad += altlen + ((4 - (altlen + 2)) & 3);
}
- FSfree((char *) alt_data);
+ FSfree(alt_data);
alt_data = NULL;
svr->alternate_servers = alts;
@@ -260,9 +260,9 @@ FSOpenServer(const char *server)
return (svr);
fail: /* Failure: clean up and return null */
- FSfree((char *) alts);
- FSfree((char *) alt_data);
- FSfree((char *) auth_data);
+ FSfree(alts);
+ FSfree(alt_data);
+ FSfree(auth_data);
OutOfMemory(svr, setup);
return (FSServer *) NULL;
diff --git a/src/FSQGlyphs.c b/src/FSQGlyphs.c
index 9fbe2f4..9681ef0 100644
--- a/src/FSQGlyphs.c
+++ b/src/FSQGlyphs.c
@@ -98,7 +98,7 @@ FSQueryXBitmaps8(
#if (SIZE_MAX >> 2) <= UINT_MAX
/* XXX This thest is incomplete */
if (reply.length > (SIZE_MAX >> 2)) {
- FSfree((char *) offs);
+ FSfree(offs);
return FSBadAlloc;
}
#endif
@@ -107,7 +107,7 @@ FSQueryXBitmaps8(
gd = FSmalloc(left);
*glyphdata = gd;
if (!gd) {
- FSfree((char *) offs);
+ FSfree(offs);
return FSBadAlloc;
}
for (i=0; i<reply.num_chars; i++)
@@ -183,7 +183,7 @@ FSQueryXBitmaps16(
#if (SIZE_MAX >> 2) <= UINT_MAX
/* XXX - this test is incomplete */
if (reply.length > (SIZE_MAX>>2)) {
- FSfree((char *) offs);
+ FSfree(offs);
return FSBadAlloc;
}
#endif
@@ -192,7 +192,7 @@ FSQueryXBitmaps16(
gd = FSmalloc(left);
*glyphdata = gd;
if (!gd) {
- FSfree((char *) offs);
+ FSfree(offs);
return FSBadAlloc;
}
for (i=0; i<reply.num_chars; i++)
diff --git a/src/FSQXInfo.c b/src/FSQXInfo.c
index 3e3a564..0edae0a 100644
--- a/src/FSQXInfo.c
+++ b/src/FSQXInfo.c
@@ -103,7 +103,7 @@ FSQueryXInfo(
return FSBadAlloc;
pdata = FSmalloc(props->data_len);
if (!pdata) {
- FSfree((char *) offset_data);
+ FSfree(offset_data);
return FSBadAlloc;
}
/* get offsets */
commit 2cf3ed903048758ee696d410aba6afefd1582dec
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Apr 10 18:26:22 2013 -0700
Get rid of unnecessary casts in FS*alloc calls
Stop taking 64-bit size_t, truncating to 32-bit unsigned int, and then
putting into a 64-bit size_t argument to underlying *alloc call.
Also stop casting results, since in C, that just hides missing prototype
errors that can cause memory corruption when taking an implicit 32-bit
int return value and trying to make a 64-bit pointer out of it.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c
index d9c84b6..fcc91ea 100644
--- a/src/FSFontInfo.c
+++ b/src/FSFontInfo.c
@@ -134,20 +134,16 @@ FSListFontsWithXInfo(
goto badmem;
if (fhdr) {
- FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
- FSrealloc((char *) fhdr,
- (unsigned) (sizeof(FSXFontInfoHeader *) * size));
- char **tmp_flist = (char **) FSrealloc((char *) flist,
- (unsigned) (sizeof(char *) * size));
- FSPropInfo **tmp_pi = (FSPropInfo **)
- FSrealloc((char *) pi,
- (unsigned) (sizeof(FSPropInfo *) * size));
- FSPropOffset **tmp_po = (FSPropOffset **)
- FSrealloc((char *) po,
- (unsigned) (sizeof(FSPropOffset *) * size));
- unsigned char **tmp_pd = (unsigned char **)
- FSrealloc((char *) pd,
- (unsigned) (sizeof(unsigned char *) * size));
+ FSXFontInfoHeader **tmp_fhdr =
+ FSrealloc(fhdr, sizeof(FSXFontInfoHeader *) * size);
+ char **tmp_flist =
+ FSrealloc(flist, sizeof(char *) * size);
+ FSPropInfo **tmp_pi =
+ FSrealloc(pi, sizeof(FSPropInfo *) * size);
+ FSPropOffset **tmp_po =
+ FSrealloc(po, sizeof(FSPropOffset *) * size);
+ unsigned char **tmp_pd =
+ FSrealloc(pd, sizeof(unsigned char *) * size);
if (!tmp_fhdr || !tmp_flist || !tmp_pi || !tmp_po || !tmp_pd) {
for (j = (i - 1); j >= 0; j--) {
@@ -185,29 +181,24 @@ FSListFontsWithXInfo(
po = tmp_po;
pd = tmp_pd;
} else {
- if (!(fhdr = (FSXFontInfoHeader **)
- FSmalloc((unsigned) (sizeof(FSXFontInfoHeader *) * size))))
+ if (!(fhdr = FSmalloc(sizeof(FSXFontInfoHeader *) * size)))
goto clearwire;
- if (!(flist = (char **)
- FSmalloc((unsigned) (sizeof(char *) * size)))) {
+ if (!(flist = FSmalloc(sizeof(char *) * size))) {
FSfree((char *) fhdr);
goto clearwire;
}
- if (!(pi = (FSPropInfo **)
- FSmalloc((unsigned) (sizeof(FSPropInfo *) * size)))) {
+ if (!(pi = FSmalloc(sizeof(FSPropInfo *) * size))) {
FSfree((char *) fhdr);
FSfree((char *) flist);
goto clearwire;
}
- if (!(po = (FSPropOffset **)
- FSmalloc((unsigned) (sizeof(FSPropOffset *) * size)))) {
+ if (!(po = FSmalloc(sizeof(FSPropOffset *) * size))) {
FSfree((char *) fhdr);
FSfree((char *) flist);
FSfree((char *) pi);
goto clearwire;
}
- if (!(pd = (unsigned char **)
- FSmalloc((unsigned) (sizeof(unsigned char *) * size)))) {
+ if (!(pd = FSmalloc(sizeof(unsigned char *) * size))) {
FSfree((char *) fhdr);
FSfree((char *) flist);
FSfree((char *) pi);
@@ -216,14 +207,14 @@ FSListFontsWithXInfo(
}
}
}
- fhdr[i] = (FSXFontInfoHeader *) FSmalloc(sizeof(FSXFontInfoHeader));
+ fhdr[i] = FSmalloc(sizeof(FSXFontInfoHeader));
if (!fhdr[i]) {
goto badmem;
}
FSUnpack_XFontInfoHeader(&reply, fhdr[i], FSProtocolVersion(svr));
/* alloc space for the name */
- flist[i] = (char *) FSmalloc((unsigned int) (reply.nameLength + 1));
+ flist[i] = FSmalloc(reply.nameLength + 1);
if (FSProtocolVersion(svr) == 1)
{
/* get the name */
@@ -236,7 +227,7 @@ FSListFontsWithXInfo(
flist[i][reply.nameLength] = '\0';
}
- pi[i] = (FSPropInfo *) FSmalloc(sizeof(FSPropInfo));
+ pi[i] = FSmalloc(sizeof(FSPropInfo));
if (!pi[i]) {
FSfree((char *) fhdr[i]);
goto badmem;
@@ -250,14 +241,13 @@ FSListFontsWithXInfo(
goto badmem;
#endif
- po[i] = (FSPropOffset *)
- FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
+ po[i] = FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
if (!po[i]) {
FSfree((char *) fhdr[i]);
FSfree((char *) pi[i]);
goto badmem;
}
- pd[i] = (unsigned char *) FSmalloc(pi[i]->data_len);
+ pd[i] = FSmalloc(pi[i]->data_len);
if (!pd[i]) {
FSfree((char *) fhdr[i]);
FSfree((char *) pi[i]);
Reply to: