[poppler] glib/poppler-page.cc

[Carlos Garcia Campos]

 glib/poppler-page.cc |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

New commits:
commit c839b706092583f6b12ed3cc634bf5af34b7a2bb
Author: Carlos Garcia Campos <carlosgc at gnome.org>
Date:   Tue Oct 20 10:09:13 2009 +0200

    [glib] Fix CVE-2009-3607

diff --git a/glib/poppler-page.cc b/glib/poppler-page.cc
index 225c97b..3c0ead1 100644
--- a/glib/poppler-page.cc
+++ b/glib/poppler-page.cc
@@ -609,28 +609,28 @@ create_surface_from_thumbnail_data (guchar *data,
 				    gint    rowstride)
 {
   guchar *cairo_pixels;
+  gint cairo_stride;
   cairo_surface_t *surface;
-  static cairo_user_data_key_t key;
   int j;
 
-  cairo_pixels = (guchar *)g_malloc (4 * width * height);
-  surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
-						 CAIRO_FORMAT_RGB24,
-						 width, height, 4 * width);
-  cairo_surface_set_user_data (surface, &key,
-			       cairo_pixels, (cairo_destroy_func_t)g_free);
+  surface = cairo_image_surface_create (CAIRO_FORMAT_RGB24, width, height);
+  if (cairo_surface_status (surface))
+    return NULL;
+
+  cairo_pixels = cairo_image_surface_get_data (surface);
+  cairo_stride = cairo_image_surface_get_stride (surface);
 
   for (j = height; j; j--) {
     guchar *p = data;
     guchar *q = cairo_pixels;
     guchar *end = p + 3 * width;
-	  
+
     while (p < end) {
 #if G_BYTE_ORDER == G_LITTLE_ENDIAN
       q[0] = p[2];
       q[1] = p[1];
       q[2] = p[0];
-#else	  
+#else
       q[1] = p[0];
       q[2] = p[1];
       q[3] = p[2];
@@ -640,7 +640,7 @@ create_surface_from_thumbnail_data (guchar *data,
     }
 
     data += rowstride;
-    cairo_pixels += 4 * width;
+    cairo_pixels += cairo_stride;
   }
 
   return surface;