diff options
author | Bryce Harrington <bryce@bryceharrington.org> | 2018-06-06 09:30:00 -0700 |
---|---|---|
committer | Bryce Harrington <bryce@bryceharrington.org> | 2018-06-13 15:21:50 -0700 |
commit | 9d2e3646fa04c98747ae3b05a9be433eda7f2730 (patch) | |
tree | 8e04745c1ca9a82a967e7eeb41efdfd7981537f8 | |
parent | d09d2ebfd5845de7b3fa12b76c4abead4d587016 (diff) |
If the bitmap's min is non-zero, _bitmap_next_id() could break out of
its loop early, before initializing the prev variable. prev would then
be dereferenced without a null ptr check. This condition should never
occur in practice, so add an assert() to assure it doesn't.
Same issue is present in trace.c.
Coverity IDs: #1159557, #1159558
Reviewed-By: Uli Schlachter <psychon@znc.in>
Signed-off-by: Bryce Harrington <bryce@bryceharrington.org>
-rw-r--r-- | src/cairo-script-surface.c | 1 | ||||
-rw-r--r-- | util/cairo-trace/trace.c | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c index e715cae50..7db7dc5b0 100644 --- a/src/cairo-script-surface.c +++ b/src/cairo-script-surface.c @@ -262,6 +262,7 @@ _bitmap_next_id (struct _bitmap *b, prev = &b->next; b = b->next; } while (b != NULL); + assert (prev != NULL); bb = _cairo_malloc (sizeof (struct _bitmap)); if (unlikely (bb == NULL)) diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c index 3c056134e..87b2df46e 100644 --- a/util/cairo-trace/trace.c +++ b/util/cairo-trace/trace.c @@ -299,8 +299,10 @@ _type_next_token (Type *t) prev = &b->next; b = b->next; } + assert (prev != NULL); bb = malloc (sizeof (struct _bitmap)); + *prev = bb; bb->next = b; bb->min = min; |