From 47ea3a9452becc5b707617557ec03ceaeac87ada Mon Sep 17 00:00:00 2001 From: Benjamin Otte Date: Thu, 5 Apr 2018 18:18:55 +0200 Subject: snapshot: Don't cause invalid reads 1. Pass clip rectangles to gtk_snapshot_push_state() that point into the state array. 2. g_array_set_size(len+1) the state array 3. Make that function realloc() the state array. 4. The clip rectangle now points into invalid memory 5. Use the clip array This patch fixes things by moving step 5 to before step 2. --- gtk/gtksnapshot.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/gtk/gtksnapshot.c b/gtk/gtksnapshot.c index c383364275..ad7b2d358a 100644 --- a/gtk/gtksnapshot.c +++ b/gtk/gtksnapshot.c @@ -116,24 +116,24 @@ gtk_snapshot_push_state (GtkSnapshot *snapshot, int translate_y, GtkSnapshotCollectFunc collect_func) { - GtkSnapshotState *state; - - g_array_set_size (snapshot->state_stack, snapshot->state_stack->len + 1); - state = &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1); + GtkSnapshotState state = { 0, }; - state->name = name; + state.name = name; if (clip) { - state->clip = *clip; - state->has_clip = TRUE; + state.clip = *clip; + state.has_clip = TRUE; } - state->translate_x = translate_x; - state->translate_y = translate_y; - state->collect_func = collect_func; - state->start_node_index = snapshot->nodes->len; - state->n_nodes = 0; - return state; + state.translate_x = translate_x; + state.translate_y = translate_y; + state.collect_func = collect_func; + state.start_node_index = snapshot->nodes->len; + state.n_nodes = 0; + + g_array_append_val (snapshot->state_stack, state); + + return &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1); } static GtkSnapshotState * -- cgit v1.2.1