[librsvg] bgo#744299 - Ensure the type of pattern fallbacks

[Federico Mena Quintero <federico src gnome org>]

commit 0035e95118a60c0cd3949c2300472d805e16a022
Author: Federico Mena Quintero <federico gnome org>
Date:   Wed Feb 11 10:48:52 2015 -0600

    bgo#744299 - Ensure the type of pattern fallbacks
    
    Atte Kettunen's fuzz testing yielded an SVG with a pattern paint server that
    had an xlink:href to a *rect*, not to another patern.  Since we were not checking
    type type of resolved nodes when applying pattern fallbacks, we were using a
    structure of the wrong type.
    
    Fixes https://bugzilla.gnome.org/show_bug.cgi?id=744299
    
    Signed-off-by: Federico Mena Quintero <federico gnome org>

 rsvg-paint-server.c |   29 +++++++++++++++++++++++------
 1 files changed, 23 insertions(+), 6 deletions(-)
---
diff --git a/rsvg-paint-server.c b/rsvg-paint-server.c
index da44806..6bb59d5 100644
--- a/rsvg-paint-server.c
+++ b/rsvg-paint-server.c
@@ -506,9 +506,11 @@ typedef void (* ApplyFallbackFn) (gpointer data, gpointer fallback_data);
  * The parameters are:
  *
  * @data: the paint server to resolve
- * @get_fallback: a function which, given a paint server, will return its fallback (or NULL)
+ * @get_fallback: a function which, given a paint server, will return its fallback (or NULL).
+ *                This function must make sure that the type of the node it gets passed is correct.
  * @apply_fallback: a function which, given a paint server and a fallback one, will apply
- *                  the fallback to the paint server as appropriate
+ *                  the fallback to the paint server as appropriate.  This function must
+ *                  ensure that the type of the fallback node it gets passed is correct.
  *
  * We use plain gpointers because this is called from different places with different
  * structure types.
@@ -723,19 +725,34 @@ rsvg_radial_gradient_fix_fallback (RsvgRadialGradient * grad)
 static gpointer
 pattern_get_fallback (gpointer data)
 {
-    RsvgPattern *pattern = data;
+    RsvgNode *node = data;
 
-    return pattern->fallback;
+    if (RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_PATTERN) {
+        RsvgPattern *pattern = (RsvgPattern *) node;
+
+        return pattern->fallback;
+    } else
+        return NULL;
 }
 
 static void
 pattern_apply_fallback (gpointer data, gpointer fallback_data)
 {
+    RsvgNode *pattern_node;
     RsvgPattern *pattern;
+    RsvgNode *fallback_node;
     RsvgPattern *fallback;
 
-    pattern = data;
-    fallback = fallback_data;
+    pattern_node = data;
+    fallback_node = fallback_data;
+
+    g_assert (RSVG_NODE_TYPE (pattern_node) == RSVG_NODE_TYPE_PATTERN);
+
+    if (RSVG_NODE_TYPE (fallback_node) != RSVG_NODE_TYPE_PATTERN)
+        return;
+
+    pattern = (RsvgPattern *) pattern_node;
+    fallback = (RsvgPattern *) fallback_node;
 
     if (!pattern->hasx && fallback->hasx) {
         pattern->hasx = TRUE;