[cairo] patch for 'invalid write' in cairo-pdf-surface.c

[Tomasz Cholewo]

_cairo_array_append in cairo_pdf_ft_font_write can realloc
font->output making previously calculated font->checksum_location
pointer invalid.  I attach a proposed patch (in essence: store
the array index, not a raw pointer) and a valgrind trace that
demonstrates the bug.

Tomasz Cholewo




-------------- next part --------------
A non-text attachment was scrubbed...
Name: cairo-checksum-location.patch
Type: text/x-patch
Size: 1614 bytes
Desc: not available
Url : http://lists.freedesktop.org/archives/cairo/attachments/20050601/4698810e/cairo-checksum-location.bin
-------------- next part --------------
==29342== Invalid write of size 4
==29342==    at 0x1B95B7A8: cairo_pdf_ft_font_generate (cairo-pdf-surface.c:781)
==29342==    by 0x1B95A5D0: cairo_pdf_font_generate (cairo-pdf-surface.c:288)
==29342==    by 0x1B95D9E1: _cairo_pdf_document_write_fonts (cairo-pdf-surface.c:2026)
==29342==    by 0x1B95DD6F: _cairo_pdf_document_finish (cairo-pdf-surface.c:2193)
==29342==    by 0x1B95C002: _cairo_pdf_surface_finish (cairo-pdf-surface.c:1103)
==29342==    by 0x1B950D6B: cairo_surface_finish (cairo-surface.c:178)
==29342==    by 0x1B950D10: cairo_surface_destroy (cairo-surface.c:139)
==29342==    by 0x1B9472E3: _cairo_gstate_fini (cairo-gstate.c:199)
==29342==  Address 0x1BB64470 is 13880 bytes inside a block of size 16384 free'd
==29342==    at 0x1B904C61: realloc (vg_replace_malloc.c:196)
==29342==    by 0x1B944443: _cairo_array_grow_by (cairo-array.c:74)
==29342==    by 0x1B944544: _cairo_array_append (cairo-array.c:115)
==29342==    by 0x1B95A950: cairo_pdf_ft_font_write (cairo-pdf-surface.c:395)
==29342==    by 0x1B95ABBD: cairo_pdf_ft_font_write_generic_table (cairo-pdf-surface.c:468)
==29342==    by 0x1B95B712: cairo_pdf_ft_font_generate (cairo-pdf-surface.c:769)
==29342==    by 0x1B95A5D0: cairo_pdf_font_generate (cairo-pdf-surface.c:288)
==29342==    by 0x1B95D9E1: _cairo_pdf_document_write_fonts (cairo-pdf-surface.c:2026)