Commit a4434747558d872c55e55ce428019a8e15d222dc

Sebastian Rasmussen 2020-06-20T05:31:34

[cff] Fix handling of `style_name == NULL' (#58630). * src/cff/cffobjs.c (cff_face_init): If a call to `cff_strcpy' fails by returning NULL in `cff_face_init', `remove_style' is still called. This means that the NULL pointer is dereferenced, causing a crash.

diff --git a/ChangeLog b/ChangeLog
index 3473057..858c696 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2020-06-20  Sebastian Rasmussen  <sebras@gmail.com>
+
+	[cff] Fix handling of `style_name == NULL' (#58630).
+
+	* src/cff/cffobjs.c (cff_face_init): If a call to `cff_strcpy' fails
+	by returning NULL in `cff_face_init', `remove_style' is still
+	called.  This means that the NULL pointer is dereferenced, causing a
+	crash.
+
 2020-06-19  Sebastian Rasmussen  <sebras@gmail.com>
 
 	[cff] Fix another two memory leaks (#58629).
diff --git a/src/cff/cffobjs.c b/src/cff/cffobjs.c
index 51430b2..d555d52 100644
--- a/src/cff/cffobjs.c
+++ b/src/cff/cffobjs.c
@@ -950,7 +950,8 @@
                 style_name = cff_strcpy( memory, fullp );
 
                 /* remove the style part from the family name (if present) */
-                remove_style( cffface->family_name, style_name );
+                if ( style_name )
+                  remove_style( cffface->family_name, style_name );
               }
               break;
             }