summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Jackson <ajax@redhat.com>2014-10-31 13:21:15 -0400
committerBryce Harrington <bryce@osg.samsung.com>2014-11-06 12:56:18 -0800
commita03f2ff72054c9530f98738aac729354a3f56102 (patch)
tree7d9c4ed1529cd9ac903791e50e2c8c9c1e95f7f7
parent3cf862f6d973755cd9824c2224fbe0a623c47ff1 (diff)
xcb: Don't crash when swapping a 0-sized glyph
malloc(0) needn't return NULL, and on glibc, doesn't. Then we encounter a loop of the form do { ... } while (--c), which doesn't do quite what you were hoping for when c is initially 0. Since there's nothing to swap in this case, just bomb out. Signed-off-by: Adam Jackson <ajax@redhat.com>
-rw-r--r--src/cairo-xcb-surface-render.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/cairo-xcb-surface-render.c b/src/cairo-xcb-surface-render.c
index 21a89cc0f..1a086a24f 100644
--- a/src/cairo-xcb-surface-render.c
+++ b/src/cairo-xcb-surface-render.c
@@ -4467,6 +4467,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection,
const uint8_t *d;
uint8_t *new, *n;
+ if (c == 0)
+ break;
+
new = malloc (c);
if (unlikely (new == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
@@ -4495,6 +4498,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection,
const uint32_t *d;
uint32_t *new, *n;
+ if (c == 0)
+ break;
+
new = malloc (4 * c);
if (unlikely (new == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);