freed-pool: Don't access beyond the end of the array.

Argh. This bug has been here for quite some time and only showed itself with a corrupt pointer on ppc32. Since the erroneous write is inside the block, it remained undetected by valgrind.
author: Chris Wilson <chris@chris-wilson.co.uk> 2010-05-20 21:54:51 +0100
committer: Chris Wilson <chris@chris-wilson.co.uk> 2010-05-20 21:57:58 +0100
commit: 2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8 (patch)
tree: 64717101ae4456bbce7543e983cfb7c68e893895 /src/cairo-freed-pool.c
parent: 97b4aeba44e5f4b23b3ed417b991570b46d4736e (diff)
download: cairo-2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/cairo-freed-pool.c b/src/cairo-freed-pool.c
index 9d4269307..cfdc8e96b 100644
--- a/src/cairo-freed-pool.c
+++ b/src/cairo-freed-pool.c
@@ -73,7 +73,7 @@ _freed_pool_put_search (freed_pool_t *pool, void *ptr)
     }
 
     /* full */
-    pool->top = ARRAY_LENGTH (pool->pool);
+    pool->top = i;
     free (ptr);
 }
 
@@ -86,6 +86,8 @@ _freed_pool_reset (freed_pool_t *pool)
 	free (pool->pool[i]);
 	pool->pool[i] = NULL;
     }
+
+    pool->top = 0;
 }
 
 #endif
author	Chris Wilson <chris@chris-wilson.co.uk>	2010-05-20 21:54:51 +0100
committer	Chris Wilson <chris@chris-wilson.co.uk>	2010-05-20 21:57:58 +0100
commit	2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8 (patch)
tree	64717101ae4456bbce7543e983cfb7c68e893895 /src/cairo-freed-pool.c
parent	97b4aeba44e5f4b23b3ed417b991570b46d4736e (diff)
download	cairo-2f0f4ed0e2ae5657dedfe180b7be3a2496753ba8.tar.gz