diff options
author | Chris Wilson <chris@chris-wilson.co.uk> | 2010-05-20 21:54:51 +0100 |
---|---|---|
committer | Chris Wilson <chris@chris-wilson.co.uk> | 2010-05-20 21:57:58 +0100 |
commit | 2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8 (patch) | |
tree | 64717101ae4456bbce7543e983cfb7c68e893895 /src/cairo-freed-pool.c | |
parent | 97b4aeba44e5f4b23b3ed417b991570b46d4736e (diff) | |
download | cairo-2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8.tar.gz |
freed-pool: Don't access beyond the end of the array.
Argh. This bug has been here for quite some time and only showed itself
with a corrupt pointer on ppc32. Since the erroneous write is inside the
block, it remained undetected by valgrind.
Diffstat (limited to 'src/cairo-freed-pool.c')
-rw-r--r-- | src/cairo-freed-pool.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/cairo-freed-pool.c b/src/cairo-freed-pool.c index 9d4269307..cfdc8e96b 100644 --- a/src/cairo-freed-pool.c +++ b/src/cairo-freed-pool.c @@ -73,7 +73,7 @@ _freed_pool_put_search (freed_pool_t *pool, void *ptr) } /* full */ - pool->top = ARRAY_LENGTH (pool->pool); + pool->top = i; free (ptr); } @@ -86,6 +86,8 @@ _freed_pool_reset (freed_pool_t *pool) free (pool->pool[i]); pool->pool[i] = NULL; } + + pool->top = 0; } #endif |