[librsvg: 3/48] rsvg-load: Fix use-after-free in style_handler_end()

[Federico Mena Quintero <federico src gnome org>]

commit 0ce5df47861023009a5fab67c72af006e970f32b
Author: Federico Mena Quintero <federico gnome org>
Date:   Tue Aug 28 20:02:21 2018 -0500

    rsvg-load: Fix use-after-free in style_handler_end()
    
    ... because this function never gets called.  This is because in
    sax_end_element_cb(), load->handler_nest is never > 0 when we are
    about to call the end_element function of the current handler.  This
    is wrong; will fix shortly.

 librsvg/rsvg-load.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
---
diff --git a/librsvg/rsvg-load.c b/librsvg/rsvg-load.c
index bc8d3f4f..d9b9b6b8 100644
--- a/librsvg/rsvg-load.c
+++ b/librsvg/rsvg-load.c
@@ -200,12 +200,13 @@ static void
 style_handler_end (RsvgSaxHandler * self, const char *name)
 {
     RsvgSaxHandlerStyle *z = (RsvgSaxHandlerStyle *) self;
-    RsvgSaxHandler *prev = z->parent;
+    RsvgSaxHandler *previous = z->parent;
+    RsvgLoad *load = z->load;
 
     if (!strcmp (name, "style")) {
-        if (z->load->handler != NULL) {
-            z->load->handler->free (z->load->handler);
-            z->load->handler = prev;
+        if (load->handler != NULL) {
+            load->handler->free (load->handler);
+            load->handler = previous;
         }
     }
 }