diff options
| author | Federico Mena Quintero <federico@gnome.org> | 2015-02-19 18:12:49 -0600 |
|---|---|---|
| committer | Federico Mena Quintero <federico@gnome.org> | 2015-02-19 18:18:08 -0600 |
| commit | f8019aaa9f785061285def07712b5cfcd7ab26aa (patch) | |
| tree | 508f2f59c0d87428c80d76e3855becaa74eeba12 | |
| parent | d7b49df88d28ef70efd0efc9db319fd4b6969b91 (diff) | |
| download | librsvg-f8019aaa9f785061285def07712b5cfcd7ab26aa.tar.gz | |
bgo#744688 - Fix double g_free() when processing stroke-dasharray
The part of rsvg_parse_style_pair() that validates the dash pattern, by seeing
if any actual dash length was generated, could leave a dangling pointer after
a g_free() if the dash pattern turned out to be invalid. Later, rsvg_state_inherit_run()
would try to g_free() this dangling pointer as well.
Found by Atte Kettunen's fuzz testing.
Signed-off-by: Federico Mena Quintero <federico@gnome.org>
| -rw-r--r-- | rsvg-styles.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/rsvg-styles.c b/rsvg-styles.c index b71bb6bd..1247fa4a 100644 --- a/rsvg-styles.c +++ b/rsvg-styles.c @@ -311,7 +311,7 @@ rsvg_state_inherit_run (RsvgState * dst, const RsvgState * src, if (function (dst->has_text_anchor, src->has_text_anchor)) dst->text_anchor = src->text_anchor; if (function (dst->has_letter_spacing, src->has_letter_spacing)) - dst->letter_spacing = src->letter_spacing; + dst->letter_spacing = src->letter_spacing; if (function (dst->has_startMarker, src->has_startMarker)) dst->startMarker = src->startMarker; if (function (dst->has_middleMarker, src->has_middleMarker)) @@ -329,10 +329,10 @@ rsvg_state_inherit_run (RsvgState * dst, const RsvgState * src, } if (function (dst->has_space_preserve, src->has_space_preserve)) - dst->space_preserve = src->space_preserve; + dst->space_preserve = src->space_preserve; if (function (dst->has_visible, src->has_visible)) - dst->visible = src->visible; + dst->visible = src->visible; if (function (dst->has_lang, src->has_lang)) { if (dst->has_lang) @@ -807,6 +807,7 @@ rsvg_parse_style_pair (RsvgHandle * ctx, if (state->dash.n_dash != 0) { /* free any cloned dash data */ g_free (state->dash.dash); + state->dash.dash = NULL; state->dash.n_dash = 0; } } else { @@ -840,6 +841,7 @@ rsvg_parse_style_pair (RsvgHandle * ctx, be ignored */ if (total == 0) { g_free (state->dash.dash); + state->dash.dash = NULL; state->dash.n_dash = 0; } } |