$NetBSD: patch-CVE-2017-9814,v 1.2 2018/01/06 11:30:56 adam Exp $

relevant part of https://bugs.freedesktop.org/attachment.cgi?id=132563

--- src/cairo-truetype-subset.c.orig	2017-12-05 00:20:46.000000000 +0000
+++ src/cairo-truetype-subset.c
@@ -187,7 +187,7 @@ _cairo_truetype_font_create (cairo_scale
     if (unlikely (status))
 	return status;
 
-    font = malloc (sizeof (cairo_truetype_font_t));
+    font = _cairo_malloc (sizeof (cairo_truetype_font_t));
     if (unlikely (font == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -240,7 +240,7 @@ _cairo_truetype_font_create (cairo_scale
 
     /* If the PS name is not found, create a CairoFont-x-y name. */
     if (font->base.ps_name == NULL) {
-        font->base.ps_name = malloc (30);
+        font->base.ps_name = _cairo_malloc (30);
         if (unlikely (font->base.ps_name == NULL)) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
             goto fail3;
@@ -616,7 +616,7 @@ cairo_truetype_font_write_glyf_table (ca
     else
 	size = sizeof (int32_t) * (font->num_glyphs_in_face + 1);
 
-    u.bytes = malloc (size);
+    u.bytes = _cairo_malloc (size);
     if (unlikely (u.bytes == NULL))
 	return _cairo_truetype_font_set_error (font, CAIRO_STATUS_NO_MEMORY);
 
@@ -1189,7 +1189,7 @@ cairo_truetype_subset_init_internal (cai
     truetype_subset->descent = (double)font->base.descent/font->base.units_per_em;
 
     if (length) {
-	truetype_subset->data = malloc (length);
+	truetype_subset->data = _cairo_malloc (length);
 	if (unlikely (truetype_subset->data == NULL)) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    goto fail4;
@@ -1202,7 +1202,7 @@ cairo_truetype_subset_init_internal (cai
 
     if (num_strings) {
 	offsets_length = num_strings * sizeof (unsigned long);
-	truetype_subset->string_offsets = malloc (offsets_length);
+	truetype_subset->string_offsets = _cairo_malloc (offsets_length);
 	if (unlikely (truetype_subset->string_offsets == NULL)) {
 	    status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    goto fail5;
@@ -1290,7 +1290,7 @@ _cairo_truetype_reverse_cmap (cairo_scal
 	return CAIRO_INT_STATUS_UNSUPPORTED;
 
     size = be16_to_cpu (map->length);
-    map = malloc (size);
+    map = _cairo_malloc (size);
     if (unlikely (map == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -1456,7 +1456,7 @@ find_name (tt_name_t *name, int name_id,
 	    if (len > MAX_FONT_NAME_LENGTH)
 		break;
 
-	    str = malloc (len + 1);
+	    str = _cairo_malloc (len + 1);
 	    if (str == NULL)
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -1482,7 +1482,7 @@ find_name (tt_name_t *name, int name_id,
 	for (i = 0; i < u_len; i++)
 	    size += _cairo_ucs4_to_utf8 (be16_to_cpu(u[i]), NULL);
 
-	utf8 = malloc (size + 1);
+	utf8 = _cairo_malloc (size + 1);
 	if (utf8 == NULL) {
 	    status =_cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    goto fail;
@@ -1517,7 +1517,7 @@ find_name (tt_name_t *name, int name_id,
 	}
     }
     if (has_tag) {
-	p = malloc (len - 6);
+	p = _cairo_malloc (len - 6);
 	if (unlikely (p == NULL)) {
 	    status =_cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    goto fail;
@@ -1562,7 +1562,7 @@ _cairo_truetype_read_font_name (cairo_sc
     if (status)
 	return status;
 
-    name = malloc (size);
+    name = _cairo_malloc (size);
     if (name == NULL)
         return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
