[librsvg] bgo#744688 - Fix double g_free() when processing stroke-dasharray

[Federico Mena Quintero <federico src gnome org>]

commit f8019aaa9f785061285def07712b5cfcd7ab26aa
Author: Federico Mena Quintero <federico gnome org>
Date:   Thu Feb 19 18:12:49 2015 -0600

    bgo#744688 - Fix double g_free() when processing stroke-dasharray
    
    The part of rsvg_parse_style_pair() that validates the dash pattern, by seeing
    if any actual dash length was generated, could leave a dangling pointer after
    a g_free() if the dash pattern turned out to be invalid.  Later, rsvg_state_inherit_run()
    would try to g_free() this dangling pointer as well.
    
    Found by Atte Kettunen's fuzz testing.
    
    Signed-off-by: Federico Mena Quintero <federico gnome org>

 rsvg-styles.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/rsvg-styles.c b/rsvg-styles.c
index b71bb6b..1247fa4 100644
--- a/rsvg-styles.c
+++ b/rsvg-styles.c
@@ -311,7 +311,7 @@ rsvg_state_inherit_run (RsvgState * dst, const RsvgState * src,
     if (function (dst->has_text_anchor, src->has_text_anchor))
         dst->text_anchor = src->text_anchor;
     if (function (dst->has_letter_spacing, src->has_letter_spacing))
-       dst->letter_spacing = src->letter_spacing;
+        dst->letter_spacing = src->letter_spacing;
     if (function (dst->has_startMarker, src->has_startMarker))
         dst->startMarker = src->startMarker;
     if (function (dst->has_middleMarker, src->has_middleMarker))
@@ -329,10 +329,10 @@ rsvg_state_inherit_run (RsvgState * dst, const RsvgState * src,
     }
 
     if (function (dst->has_space_preserve, src->has_space_preserve))
-       dst->space_preserve = src->space_preserve;
+        dst->space_preserve = src->space_preserve;
 
     if (function (dst->has_visible, src->has_visible))
-       dst->visible = src->visible;
+        dst->visible = src->visible;
 
     if (function (dst->has_lang, src->has_lang)) {
         if (dst->has_lang)
@@ -807,6 +807,7 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
             if (state->dash.n_dash != 0) {
                 /* free any cloned dash data */
                 g_free (state->dash.dash);
+                state->dash.dash = NULL;
                 state->dash.n_dash = 0;
             }
         } else {
@@ -840,6 +841,7 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
                    be ignored */
                 if (total == 0) {
                     g_free (state->dash.dash);
+                    state->dash.dash = NULL;
                     state->dash.n_dash = 0;
                 }
             }