From: Hans Petter Jansson Date: Thu, 1 May 2008 08:43:13 +0000 (+0000) Subject: Fix a free() that should be an iks_free(). Fix an array overflow in the X-Git-Tag: EVINCE_2_23_4~21 X-Git-Url: https://www.fi.muni.cz/~kas/git//home/kas/public_html/git/?a=commitdiff_plain;h=acd335e3f233518d347ac8587a5f37e6ce614f25;p=evince.git Fix a free() that should be an iks_free(). Fix an array overflow in the 2008-05-01 Hans Petter Jansson * backend/impress/iksemel.c (sax_core): Fix a free() that should be an iks_free(). Fix an array overflow in the XML parser that would occur whenever the number of attributes in a tag was greater than 0 and divisible by 6. Fixes GNOME bug #530852. svn path=/trunk/; revision=3029 --- diff --git a/ChangeLog b/ChangeLog index b5ff07d6..04609d4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2008-05-01 Hans Petter Jansson + + * backend/impress/iksemel.c (sax_core): Fix a free() that should + be an iks_free(). Fix an array overflow in the XML parser that + would occur whenever the number of attributes in a tag was greater + than 0 and divisible by 6. Fixes GNOME bug #530852. + 2008-04-29 Carlos Garcia Campos * backend/djvu/djvu-document-private.h: diff --git a/backend/impress/iksemel.c b/backend/impress/iksemel.c index 91edcb3e..9908e132 100644 --- a/backend/impress/iksemel.c +++ b/backend/impress/iksemel.c @@ -761,11 +761,11 @@ sax_core (iksparser *prs, char *buf, int len) if (prs->attcur >= (prs->attmax * 2)) { void *tmp; prs->attmax += 12; - tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax); + tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1)); if (!tmp) return IKS_NOMEM; - memset (tmp, 0, sizeof(char *) * 2 * prs->attmax); + memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1)); memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur); - free (prs->atts); + iks_free (prs->atts); prs->atts = tmp; } }