summaryrefslogtreecommitdiff
path: root/graphics/dia/patches/0001-Bug-668587-Double-free-for-some-SVG-rendering.patch
blob: 2354be3ed180aa34e05987c99837614291c12b22 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From aa94ba030885f3105e6452929d04917a2ef94393 Mon Sep 17 00:00:00 2001
From: Hans Breuer <hans@breuer.org>
Date: Sun, 8 Apr 2012 14:42:41 +0200
Subject: [PATCH 01/24] Bug 668587 - Double free() for some SVG rendering

The fix for bug 665648 introduced a memory corruption.
Now the #if-0'ed code as well as the #else branch respect
DiaSvgRender::get_fill_style() having a const return.
(cherry picked from commit 47bb76af3ba20b5e83be79a874df02c405934899)
---
 lib/diasvgrenderer.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/diasvgrenderer.c b/lib/diasvgrenderer.c
index 4dc0695..14aefc4 100644
--- a/lib/diasvgrenderer.c
+++ b/lib/diasvgrenderer.c
@@ -677,13 +677,15 @@ draw_text_line(DiaRenderer *self, TextLine *text_line,
  
   saved_width = renderer->linewidth;
   renderer->linewidth = 0.001;
-  style = (char*)get_fill_style(renderer, colour);
   /* return value must not be freed */
   renderer->linewidth = saved_width;
 #if 0 /* would need a unit: https://bugzilla.mozilla.org/show_bug.cgi?id=707071#c4 */
-  tmp = g_strdup_printf("%s; font-size: %s", style,
+  style = g_strdup_printf("%s; font-size: %s", get_fill_style(renderer, colour),
 			dia_svg_dtostr(d_buf, text_line_get_height(text_line)));
-  style = tmp;
+#else
+  /* get_fill_style: the return value of this function must not be saved 
+   * anywhere. And of course it must not be free'd */
+  style = g_strdup (get_fill_style(renderer, colour));
 #endif
   /* This is going to break for non-LTR texts, as SVG thinks 'start' is
    * 'right' for those. */
-- 
1.8.4.4