> Index: Makefile
> ===================================================================
> RCS file: /home/cvs/ports/plan9/plan9port/Makefile,v
> retrieving revision 1.13
> diff -u -p -u -p -r1.13 Makefile
> --- Makefile 24 Jan 2016 01:07:19 -0000 1.13
> +++ Makefile 4 Apr 2016 19:28:12 -0000
> @@ -6,6 +6,7 @@ BROKEN-powerpc = threading issues
> COMMENT = Plan 9 from user space
>
> DISTNAME = plan9port-20160122
> +PKGNAME = ${DISTNAME}p0
>
> GH_ACCOUNT = 9fans
> GH_PROJECT = plan9port
> Index: patches/patch-src_libdraw_font_c
> ===================================================================
> RCS file: patches/patch-src_libdraw_font_c
> diff -N patches/patch-src_libdraw_font_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_libdraw_font_c 27 Mar 2016 04:18:54 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +--- src/libdraw/font.c.orig Fri Jan 22 19:52:32 2016
> ++++ src/libdraw/font.c Sun Mar 27 12:18:14 2016
> +@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int nof
> + subf->age = 0;
> + }else{ /* too recent; grow instead */
> + of = f->subf;
> +- f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
> ++ f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
This is a perfect case for reallocarray(3). If overflow happens here...
> + if(f->subf == nil){
> + f->subf = of;
> + goto Toss;
> + }
> +- memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
> + memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
... but not here, memset(3) would attempt to write beyond buffer.
> + subf = &f->subf[f->nsubf];
> + f->nsubf += DSUBF;
> +- free(of);
> + }
> + }
> + subf->age = 0;
>
--
Dmitrij D. Czarkoff
