[librsvg: 4/48] rsvg-load: Fix use-after-free in xinclude_handler_end() if it were called

[Federico Mena Quintero <federico src gnome org>]

commit 0ec3601c05d2b943842792b1127a193af6a7b999
Author: Federico Mena Quintero <federico gnome org>
Date:   Tue Aug 28 20:19:13 2018 -0500

    rsvg-load: Fix use-after-free in xinclude_handler_end() if it were called
    
    Again, this function is not called due to how nested handlers are
    being used.

 librsvg/rsvg-load.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
---
diff --git a/librsvg/rsvg-load.c b/librsvg/rsvg-load.c
index d9b9b6b8..754f6303 100644
--- a/librsvg/rsvg-load.c
+++ b/librsvg/rsvg-load.c
@@ -365,14 +365,13 @@ static void
 xinclude_handler_end (RsvgSaxHandler * self, const char *name)
 {
     RsvgSaxHandlerXinclude *z = (RsvgSaxHandlerXinclude *) self;
+    RsvgSaxHandler *previous = z->prev_handler;
+    RsvgLoad *load = z->load;
 
     if (!strcmp (name, "include") || !strcmp (name, "xi:include")) {
-        if (z->load->handler != NULL) {
-            RsvgSaxHandler *previous_handler;
-
-            previous_handler = z->prev_handler;
-            z->load->handler->free (z->load->handler);
-            z->load->handler = previous_handler;
+        if (load->handler != NULL) {
+            load->handler->free (load->handler);
+            load->handler = previous;
         }
     } else if (z->in_fallback) {
         if (!strcmp (name, "xi:fallback"))