1 files changed, 39 insertions, 0 deletions

diff --git a/graphics/dia/patches/0001-Bug-668587-Double-free-for-some-SVG-rendering.patch b/graphics/dia/patches/0001-Bug-668587-Double-free-for-some-SVG-rendering.patch
new file mode 100644
index 0000000000..2354be3ed1
--- /dev/null
+++ b/graphics/dia/patches/0001-Bug-668587-Double-free-for-some-SVG-rendering.patch
@@ -0,0 +1,39 @@
+From aa94ba030885f3105e6452929d04917a2ef94393 Mon Sep 17 00:00:00 2001
+From: Hans Breuer <hans@breuer.org>
+Date: Sun, 8 Apr 2012 14:42:41 +0200
+Subject: [PATCH 01/24] Bug 668587 - Double free() for some SVG rendering
+
+The fix for bug 665648 introduced a memory corruption.
+Now the #if-0'ed code as well as the #else branch respect
+DiaSvgRender::get_fill_style() having a const return.
+(cherry picked from commit 47bb76af3ba20b5e83be79a874df02c405934899)
+---
+ lib/diasvgrenderer.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/diasvgrenderer.c b/lib/diasvgrenderer.c
+index 4dc0695..14aefc4 100644
+--- a/lib/diasvgrenderer.c
++++ b/lib/diasvgrenderer.c
+@@ -677,13 +677,15 @@ draw_text_line(DiaRenderer *self, TextLine *text_line,
+  
+   saved_width = renderer->linewidth;
+   renderer->linewidth = 0.001;
+-  style = (char*)get_fill_style(renderer, colour);
+   /* return value must not be freed */
+   renderer->linewidth = saved_width;
+ #if 0 /* would need a unit: https://bugzilla.mozilla.org/show_bug.cgi?id=707071#c4 */
+-  tmp = g_strdup_printf("%s; font-size: %s", style,
++  style = g_strdup_printf("%s; font-size: %s", get_fill_style(renderer, colour),
+ 			dia_svg_dtostr(d_buf, text_line_get_height(text_line)));
+-  style = tmp;
++#else
++  /* get_fill_style: the return value of this function must not be saved 
++   * anywhere. And of course it must not be free'd */
++  style = g_strdup (get_fill_style(renderer, colour));
+ #endif
+   /* This is going to break for non-LTR texts, as SVG thinks 'start' is
+    * 'right' for those. */
+-- 
+1.8.4.4
+