diff options
| author | Hans Petter Jansson <hpj@novell.com> | 2008-05-01 08:43:13 (GMT) |
|---|---|---|
| committer | Hans Petter <hansp@src.gnome.org> | 2008-05-01 08:43:13 (GMT) |
| commit | acd335e3f233518d347ac8587a5f37e6ce614f25 (patch) | |
| tree | ef57d4676e561a160067ff8ad499c69f11a69b9e | |
| parent | d0b4f6f4f25344453064384dc8467525cb6587f2 (diff) | |
Fix a free() that should be an iks_free(). Fix an array overflow in the
2008-05-01 Hans Petter Jansson <hpj@novell.com>
* backend/impress/iksemel.c (sax_core): Fix a free() that should
be an iks_free(). Fix an array overflow in the XML parser that
would occur whenever the number of attributes in a tag was greater
than 0 and divisible by 6. Fixes GNOME bug #530852.
svn path=/trunk/; revision=3029
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | backend/impress/iksemel.c | 6 |
2 files changed, 10 insertions, 3 deletions
@@ -1,3 +1,10 @@ +2008-05-01 Hans Petter Jansson <hpj@novell.com> + + * backend/impress/iksemel.c (sax_core): Fix a free() that should + be an iks_free(). Fix an array overflow in the XML parser that + would occur whenever the number of attributes in a tag was greater + than 0 and divisible by 6. Fixes GNOME bug #530852. + 2008-04-29 Carlos Garcia Campos <carlosgc@gnome.org> * backend/djvu/djvu-document-private.h: diff --git a/backend/impress/iksemel.c b/backend/impress/iksemel.c index 91edcb3..9908e13 100644 --- a/backend/impress/iksemel.c +++ b/backend/impress/iksemel.c @@ -761,11 +761,11 @@ sax_core (iksparser *prs, char *buf, int len) if (prs->attcur >= (prs->attmax * 2)) { void *tmp; prs->attmax += 12; - tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax); + tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1)); if (!tmp) return IKS_NOMEM; - memset (tmp, 0, sizeof(char *) * 2 * prs->attmax); + memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1)); memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur); - free (prs->atts); + iks_free (prs->atts); prs->atts = tmp; } } |