[cairo-commit] src/cairo-pdf-surface.c

Chris Wilson ickle at kemper.freedesktop.org
Mon Apr 23 14:16:31 PDT 2012


 src/cairo-pdf-surface.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit f736cd144305f7c9147912f6ec081962b3191e3d
Author: Jeff Mahoney <jeffm at suse.com>
Date:   Mon Apr 23 22:04:48 2012 +0100

    pdf: Fix wrong allocation in _cairo_pdf_surface_add_source_surface
    
    _cairo_pdf_surface_add_source_surface allocates unique_id with
    size unique_id_length but then copies surface_key.unique_id_length into it.
    
    This causes e.g. evince to crash predictably while trying to print with:
    *** buffer overflow detected ***: evince terminated
    
    We should be using surface_key.unique_id_length instead.
    
    Reported-by: Dominique Leuenberger <dominique-freedesktop.org at leuenberger.net>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=49089
    Signed-off-by: Jeff Mahoney <jeffm at suse.com>

diff --git a/src/cairo-pdf-surface.c b/src/cairo-pdf-surface.c
index 3b65167..4ff381a 100644
--- a/src/cairo-pdf-surface.c
+++ b/src/cairo-pdf-surface.c
@@ -1381,7 +1381,7 @@ _cairo_pdf_surface_add_source_surface (cairo_pdf_surface_t	    *surface,
 	    goto release_source;
 
 	if (surface_key.unique_id && surface_key.unique_id_length > 0) {
-	    unique_id = malloc (unique_id_length);
+	    unique_id = _cairo_malloc (surface_key.unique_id_length);
 	    if (unique_id == NULL) {
 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 		goto release_source;


More information about the cairo-commit mailing list