From 148ca61075d821a09e42e2c75fbc9be47cfc6003 Mon Sep 17 00:00:00 2001 From: Bruce Mitchener Date: Wed, 31 Jan 2018 22:24:51 +0700 Subject: [PATCH] [ot-layout] Fix nullptr dereference. If the `calloc` for `gsub_accels` or `gpos_accels` fails, then the unlikely branch afterwards can be taken, which frees up the `hb_ot_layout_t`, but since those fields can now be `nullptr`, then we don't want to dereference them. --- src/hb-ot-layout.cc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/hb-ot-layout.cc b/src/hb-ot-layout.cc index 919ecbb4b..e93fc078b 100644 --- a/src/hb-ot-layout.cc +++ b/src/hb-ot-layout.cc @@ -195,10 +195,12 @@ _hb_ot_layout_create (hb_face_t *face) void _hb_ot_layout_destroy (hb_ot_layout_t *layout) { - for (unsigned int i = 0; i < layout->gsub_lookup_count; i++) - layout->gsub_accels[i].fini (); - for (unsigned int i = 0; i < layout->gpos_lookup_count; i++) - layout->gpos_accels[i].fini (); + if (layout->gsub_accels) + for (unsigned int i = 0; i < layout->gsub_lookup_count; i++) + layout->gsub_accels[i].fini (); + if (layout->gpos_accels) + for (unsigned int i = 0; i < layout->gpos_lookup_count; i++) + layout->gpos_accels[i].fini (); free (layout->gsub_accels); free (layout->gpos_accels);