snapshot: Don't cause invalid reads

1. Pass clip rectangles to gtk_snapshot_push_state() that point into
   the state array.
2. g_array_set_size(len+1) the state array
3. Make that function realloc() the state array.
4. The clip rectangle now points into invalid memory
5. Use the clip array

This patch fixes things by moving step 5 to before step 2.

1 files changed, 13 insertions, 13 deletions

diff --git a/gtk/gtksnapshot.c b/gtk/gtksnapshot.c
index c383364275..ad7b2d358a 100644
--- a/gtk/gtksnapshot.c
+++ b/gtk/gtksnapshot.c
@@ -116,24 +116,24 @@ gtk_snapshot_push_state (GtkSnapshot            *snapshot,
                          int                     translate_y,
                          GtkSnapshotCollectFunc  collect_func)
 {
-  GtkSnapshotState *state;
-
-  g_array_set_size (snapshot->state_stack, snapshot->state_stack->len + 1);
-  state = &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1);
+  GtkSnapshotState state = { 0, };
 
-  state->name = name;
+  state.name = name;
   if (clip)
     {
-      state->clip = *clip;
-      state->has_clip = TRUE;
+      state.clip = *clip;
+      state.has_clip = TRUE;
     }
-  state->translate_x = translate_x;
-  state->translate_y = translate_y;
-  state->collect_func = collect_func;
-  state->start_node_index = snapshot->nodes->len;
-  state->n_nodes = 0;
 
-  return state;
+  state.translate_x = translate_x;
+  state.translate_y = translate_y;
+  state.collect_func = collect_func;
+  state.start_node_index = snapshot->nodes->len;
+  state.n_nodes = 0;
+
+  g_array_append_val (snapshot->state_stack, state);
+
+  return &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1);
 }
 
 static GtkSnapshotState *