splineutil: avoid a use-after-free in AnchorPointsRemoveName()

Move the freeing instruction at the end of the loop branch so that it does not read on a freed ptr. CR-fixed: 1082487
fontforge · Jul 14, 2014 · 79a8466 · 79a8466
1 parent a231b8d
commit 79a8466
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/fontforge/splineutil.c b/fontforge/splineutil.c
@@ -5084,16 +5084,16 @@ static AnchorPoint *AnchorPointsRemoveName(AnchorPoint *alist,AnchorClass *an) {
 	next = ap->next;
 	if ( ap->anchor == an ) {
 	    if ( prev==NULL )
-		alist = next;
+		    alist = next;
 	    else
-		prev->next = next;
+		    prev->next = next;
 	    ap->next = NULL;
-	    AnchorPointsFree(ap);
 	    if ( an->type == act_mark || (an->type==act_mklg && ap->type==at_mark))
 		next = NULL;	/* Only one instance of an anchor class in a glyph for mark to base anchors */
 				/*  Or for the mark glyphs of ligature classes */
 			        /*  Mark to mark & cursive will (probably) have 2 occurances */
 			        /*  and ligatures may have lots */
+	    AnchorPointsFree(ap);
 	} else
 	    prev = ap;
     }