summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarlos Garcia Campos <carlosgc@gnome.org>2009-10-20 10:09:13 +0200
committerCarlos Garcia Campos <carlosgc@gnome.org>2009-10-20 10:09:13 +0200
commitc839b706092583f6b12ed3cc634bf5af34b7a2bb (patch)
treedf3a1d917aacae1b5d099145c64eb6c5a3d4cf3f
parent44462e0ca39392e5629020226b901e4026089b46 (diff)
[glib] Fix CVE-2009-3607
-rw-r--r--glib/poppler-page.cc20
1 files changed, 10 insertions, 10 deletions
diff --git a/glib/poppler-page.cc b/glib/poppler-page.cc
index 225c97b2..3c0ead1f 100644
--- a/glib/poppler-page.cc
+++ b/glib/poppler-page.cc
@@ -609,28 +609,28 @@ create_surface_from_thumbnail_data (guchar *data,
gint rowstride)
{
guchar *cairo_pixels;
+ gint cairo_stride;
cairo_surface_t *surface;
- static cairo_user_data_key_t key;
int j;
- cairo_pixels = (guchar *)g_malloc (4 * width * height);
- surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
- CAIRO_FORMAT_RGB24,
- width, height, 4 * width);
- cairo_surface_set_user_data (surface, &key,
- cairo_pixels, (cairo_destroy_func_t)g_free);
+ surface = cairo_image_surface_create (CAIRO_FORMAT_RGB24, width, height);
+ if (cairo_surface_status (surface))
+ return NULL;
+
+ cairo_pixels = cairo_image_surface_get_data (surface);
+ cairo_stride = cairo_image_surface_get_stride (surface);
for (j = height; j; j--) {
guchar *p = data;
guchar *q = cairo_pixels;
guchar *end = p + 3 * width;
-
+
while (p < end) {
#if G_BYTE_ORDER == G_LITTLE_ENDIAN
q[0] = p[2];
q[1] = p[1];
q[2] = p[0];
-#else
+#else
q[1] = p[0];
q[2] = p[1];
q[3] = p[2];
@@ -640,7 +640,7 @@ create_surface_from_thumbnail_data (guchar *data,
}
data += rowstride;
- cairo_pixels += 4 * width;
+ cairo_pixels += cairo_stride;
}
return surface;