evince r3030 - in branches/gnome-2-22: . backend/impress

From: hansp svn gnome org
To: svn-commits-list gnome org
Subject: evince r3030 - in branches/gnome-2-22: . backend/impress
Date: Thu, 1 May 2008 09:44:03 +0100 (BST)

Author: hansp
Date: Thu May  1 08:44:03 2008
New Revision: 3030
URL: http://svn.gnome.org/viewvc/evince?rev=3030&view=rev

Log:
2008-05-01  Hans Petter Jansson  <hpj novell com>

	* backend/impress/iksemel.c (sax_core): Fix a free() that should
	be an iks_free(). Fix an array overflow in the XML parser that
	would occur whenever the number of attributes in a tag was greater
	than 0 and divisible by 6. Fixes GNOME bug #530852.



Modified:
   branches/gnome-2-22/ChangeLog
   branches/gnome-2-22/backend/impress/iksemel.c

Modified: branches/gnome-2-22/backend/impress/iksemel.c
==============================================================================
--- branches/gnome-2-22/backend/impress/iksemel.c	(original)
+++ branches/gnome-2-22/backend/impress/iksemel.c	Thu May  1 08:44:03 2008
@@ -761,11 +761,11 @@
 					if (prs->attcur >= (prs->attmax * 2)) {
 						void *tmp;
 						prs->attmax += 12;
-						tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax);
+						tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1));
 						if (!tmp) return IKS_NOMEM;
-						memset (tmp, 0, sizeof(char *) * 2 * prs->attmax);
+						memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1));
 						memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur);
-						free (prs->atts);
+						iks_free (prs->atts);
 						prs->atts = tmp;
 					}
 				}

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]