pixbuf new_from_xpm_data with too few lines

[Kevin Ryde <user42 zip com au>]

The program foo.pl below gives a segv for me.  There's not enough lines
in the data for what the header line says and I think
gdk_pixbuf_new_from_xpm_data() goes past the end of the array
Gtk2::Gdk::Pixbuf->new_from_xpm_data builds.  Adding a NULL at the end
keeps it out of trouble, giving either an error or a partial image.
(A NULL like that isn't actually documented as far as I can see, but of
course is pretty logical for an array of strings.)

use Gtk2;
use strict;
use warnings;

my $xpm = Gtk2::Gdk::Pixbuf->new_from_xpm_data (
"32 32 3 1",
" \tNone",
"x\t#000000",
);
print $xpm||'undef',"\n";

--- GdkPixbuf.xs	10 Jan 2008 09:51:50 +1100	1.45
+++ GdkPixbuf.xs	14 Jan 2008 19:30:17 +1100	
@@ -512,9 +512,13 @@
 	char ** lines;
 	int i;
     CODE:
-	lines = g_new (char *, items - 1);
+        /* Add a NULL terminator to protect against a segv if too few lines
+           are supplied.  GdkPixbuf io-xpm.c mem_buffer() recognises that as
+           an end of data. */
+	lines = g_new (char *, items);
 	for (i = 1; i < items; i++)
 		lines[i-1] = SvPV_nolen (ST (i));
+        lines[i-1] = NULL;
 	RETVAL = gdk_pixbuf_new_from_xpm_data((const char**)lines);
 	g_free(lines);
     OUTPUT: