evince r3029 - in trunk: . backend/impress

From: hansp svn gnome org
To: svn-commits-list gnome org
Subject: evince r3029 - in trunk: . backend/impress
Date: Thu, 1 May 2008 09:43:13 +0100 (BST)

Author: hansp
Date: Thu May  1 08:43:13 2008
New Revision: 3029
URL: http://svn.gnome.org/viewvc/evince?rev=3029&view=rev

Log:
2008-05-01  Hans Petter Jansson  <hpj novell com>

	* backend/impress/iksemel.c (sax_core): Fix a free() that should
	be an iks_free(). Fix an array overflow in the XML parser that
	would occur whenever the number of attributes in a tag was greater
	than 0 and divisible by 6. Fixes GNOME bug #530852.


Modified:
   trunk/ChangeLog
   trunk/backend/impress/iksemel.c

Modified: trunk/backend/impress/iksemel.c
==============================================================================
--- trunk/backend/impress/iksemel.c	(original)
+++ trunk/backend/impress/iksemel.c	Thu May  1 08:43:13 2008
@@ -761,11 +761,11 @@
 					if (prs->attcur >= (prs->attmax * 2)) {
 						void *tmp;
 						prs->attmax += 12;
-						tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax);
+						tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1));
 						if (!tmp) return IKS_NOMEM;
-						memset (tmp, 0, sizeof(char *) * 2 * prs->attmax);
+						memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1));
 						memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur);
-						free (prs->atts);
+						iks_free (prs->atts);
 						prs->atts = tmp;
 					}
 				}

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]