diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | backend/impress/iksemel.c | 6 |
2 files changed, 10 insertions, 3 deletions
@@ -1,3 +1,10 @@ +2008-05-01 Hans Petter Jansson <hpj@novell.com> + + * backend/impress/iksemel.c (sax_core): Fix a free() that should + be an iks_free(). Fix an array overflow in the XML parser that + would occur whenever the number of attributes in a tag was greater + than 0 and divisible by 6. Fixes GNOME bug #530852. + 2008-04-29 Carlos Garcia Campos <carlosgc@gnome.org> * backend/djvu/djvu-document-private.h: diff --git a/backend/impress/iksemel.c b/backend/impress/iksemel.c index 91edcb3..9908e13 100644 --- a/backend/impress/iksemel.c +++ b/backend/impress/iksemel.c @@ -761,11 +761,11 @@ sax_core (iksparser *prs, char *buf, int len) if (prs->attcur >= (prs->attmax * 2)) { void *tmp; prs->attmax += 12; - tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax); + tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1)); if (!tmp) return IKS_NOMEM; - memset (tmp, 0, sizeof(char *) * 2 * prs->attmax); + memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1)); memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur); - free (prs->atts); + iks_free (prs->atts); prs->atts = tmp; } } |