From: Hans Petter Jansson Date: Thu, 1 May 2008 08:44:03 +0000 (+0000) Subject: Fix a free() that should be an iks_free(). Fix an array overflow in the X-Git-Tag: EVINCE_2_22_2~2 X-Git-Url: https://www.fi.muni.cz/~kas/git//home/kas/public_html/git/?a=commitdiff_plain;h=f843142643c21f60109959505892a3ccb7401922;p=evince.git Fix a free() that should be an iks_free(). Fix an array overflow in the 2008-05-01 Hans Petter Jansson * backend/impress/iksemel.c (sax_core): Fix a free() that should be an iks_free(). Fix an array overflow in the XML parser that would occur whenever the number of attributes in a tag was greater than 0 and divisible by 6. Fixes GNOME bug #530852. svn path=/branches/gnome-2-22/; revision=3030 --- diff --git a/ChangeLog b/ChangeLog index a7d4747e..21db9616 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2008-05-01 Hans Petter Jansson + + * backend/impress/iksemel.c (sax_core): Fix a free() that should + be an iks_free(). Fix an array overflow in the XML parser that + would occur whenever the number of attributes in a tag was greater + than 0 and divisible by 6. Fixes GNOME bug #530852. + 2008-04-19 Carlos Garcia Campos * libdocument/ev-document-factory.c: (get_document_from_uri): diff --git a/backend/impress/iksemel.c b/backend/impress/iksemel.c index 91edcb3e..9908e132 100644 --- a/backend/impress/iksemel.c +++ b/backend/impress/iksemel.c @@ -761,11 +761,11 @@ sax_core (iksparser *prs, char *buf, int len) if (prs->attcur >= (prs->attmax * 2)) { void *tmp; prs->attmax += 12; - tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax); + tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1)); if (!tmp) return IKS_NOMEM; - memset (tmp, 0, sizeof(char *) * 2 * prs->attmax); + memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1)); memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur); - free (prs->atts); + iks_free (prs->atts); prs->atts = tmp; } }