From acd335e3f233518d347ac8587a5f37e6ce614f25 Mon Sep 17 00:00:00 2001
From: Hans Petter Jansson <hpj@novell.com>
Date: Thu, 01 May 2008 08:43:13 +0000
Subject: Fix a free() that should be an iks_free(). Fix an array overflow in the

2008-05-01  Hans Petter Jansson  <hpj@novell.com>

	* backend/impress/iksemel.c (sax_core): Fix a free() that should
	be an iks_free(). Fix an array overflow in the XML parser that
	would occur whenever the number of attributes in a tag was greater
	than 0 and divisible by 6. Fixes GNOME bug #530852.

svn path=/trunk/; revision=3029
---
(limited to 'backend')

diff --git a/backend/impress/iksemel.c b/backend/impress/iksemel.c
index 91edcb3..9908e13 100644
--- a/backend/impress/iksemel.c
+++ b/backend/impress/iksemel.c
@@ -761,11 +761,11 @@ sax_core (iksparser *prs, char *buf, int len)
 					if (prs->attcur >= (prs->attmax * 2)) {
 						void *tmp;
 						prs->attmax += 12;
-						tmp = iks_malloc (sizeof(char *) * 2 * prs->attmax);
+						tmp = iks_malloc (sizeof(char *) * (2 * prs->attmax + 1));
 						if (!tmp) return IKS_NOMEM;
-						memset (tmp, 0, sizeof(char *) * 2 * prs->attmax);
+						memset (tmp, 0, sizeof(char *) * (2 * prs->attmax + 1));
 						memcpy (tmp, prs->atts, sizeof(char *) * prs->attcur);
-						free (prs->atts);
+						iks_free (prs->atts);
 						prs->atts = tmp;
 					}
 				}
--
cgit v0.9.1