Context Navigation

Back to Ticket #34520

Ticket #34520: 0001-aa94ba030885f3105e6452929d04917a2ef94393.patch

File 0001-aa94ba030885f3105e6452929d04917a2ef94393.patch, 1.4 KB (added by su-v, 12 years ago)

lib/diasvgrenderer.c

From aa94ba030885f3105e6452929d04917a2ef94393 Mon Sep 17 00:00:00 2001
From: Hans Breuer <hans@breuer.org>
Date: Sun, 08 Apr 2012 12:42:41 +0000
Subject: Bug 668587 - Double free() for some SVG rendering

The fix for bug 665648 introduced a memory corruption.
Now the #if-0'ed code as well as the #else branch respect
DiaSvgRender::get_fill_style() having a const return.
(cherry picked from commit 47bb76af3ba20b5e83be79a874df02c405934899)
---
diff --git a/lib/diasvgrenderer.c b/lib/diasvgrenderer.c
index 4dc0695..14aefc4 100644

  draw_text_line(DiaRenderer *self, TextLine *text_line,
   saved_width = renderer->linewidth;
   renderer->linewidth = 0.001;
-  style = (char*)get_fill_style(renderer, colour);
   /* return value must not be freed */
   renderer->linewidth = saved_width;
 #if 0 /* would need a unit: https://bugzilla.mozilla.org/show_bug.cgi?id=707071#c4 */
   tmp = g_strdup_printf("%s; font-size: %s", style,
+  style = g_strdup_printf("%s; font-size: %s", get_fill_style(renderer, colour),
                         dia_svg_dtostr(d_buf, text_line_get_height(text_line)));
+  style = tmp;
+#else
+  /* get_fill_style: the return value of this function must not be saved
+   * anywhere. And of course it must not be free'd */
+  style = g_strdup (get_fill_style(renderer, colour));
 #endif
   /* This is going to break for non-LTR texts, as SVG thinks 'start' is
    * 'right' for those. */

Download in other formats:

Original Format