[cairo-commit] src/cairo-pdf-surface.c
Chris Wilson
ickle at kemper.freedesktop.org
Mon Apr 23 14:16:31 PDT 2012
src/cairo-pdf-surface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit f736cd144305f7c9147912f6ec081962b3191e3d
Author: Jeff Mahoney <jeffm at suse.com>
Date: Mon Apr 23 22:04:48 2012 +0100
pdf: Fix wrong allocation in _cairo_pdf_surface_add_source_surface
_cairo_pdf_surface_add_source_surface allocates unique_id with
size unique_id_length but then copies surface_key.unique_id_length into it.
This causes e.g. evince to crash predictably while trying to print with:
*** buffer overflow detected ***: evince terminated
We should be using surface_key.unique_id_length instead.
Reported-by: Dominique Leuenberger <dominique-freedesktop.org at leuenberger.net>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=49089
Signed-off-by: Jeff Mahoney <jeffm at suse.com>
diff --git a/src/cairo-pdf-surface.c b/src/cairo-pdf-surface.c
index 3b65167..4ff381a 100644
--- a/src/cairo-pdf-surface.c
+++ b/src/cairo-pdf-surface.c
@@ -1381,7 +1381,7 @@ _cairo_pdf_surface_add_source_surface (cairo_pdf_surface_t *surface,
goto release_source;
if (surface_key.unique_id && surface_key.unique_id_length > 0) {
- unique_id = malloc (unique_id_length);
+ unique_id = _cairo_malloc (surface_key.unique_id_length);
if (unique_id == NULL) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto release_source;
More information about the cairo-commit
mailing list