xcb: Don't crash when swapping a 0-sized glyph

malloc(0) needn't return NULL, and on glibc, doesn't. Then we encounter a loop of the form do { ... } while (--c), which doesn't do quite what you were hoping for when c is initially 0. Since there's nothing to swap in this case, just bomb out. Signed-off-by: Adam Jackson <ajax@redhat.com>
author: Adam Jackson <ajax@redhat.com> 2014-10-31 13:21:15 -0400
committer: Bryce Harrington <bryce@osg.samsung.com> 2014-11-06 12:56:18 -0800
commit: a03f2ff72054c9530f98738aac729354a3f56102 (patch)
tree: 7d9c4ed1529cd9ac903791e50e2c8c9c1e95f7f7 /src/cairo-xcb-surface-render.c
parent: 3cf862f6d973755cd9824c2224fbe0a623c47ff1 (diff)
download: cairo-a03f2ff72054c9530f98738aac729354a3f56102.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/cairo-xcb-surface-render.c b/src/cairo-xcb-surface-render.c
index 21a89cc0f..1a086a24f 100644
--- a/src/cairo-xcb-surface-render.c
+++ b/src/cairo-xcb-surface-render.c
@@ -4467,6 +4467,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection,
 	    const uint8_t *d;
 	    uint8_t *new, *n;
 
+	    if (c == 0)
+		break;
+
 	    new = malloc (c);
 	    if (unlikely (new == NULL)) {
 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
@@ -4495,6 +4498,9 @@ _cairo_xcb_surface_add_glyph (cairo_xcb_connection_t *connection,
 	    const uint32_t *d;
 	    uint32_t *new, *n;
 
+	    if (c == 0)
+		break;
+
 	    new = malloc (4 * c);
 	    if (unlikely (new == NULL)) {
 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
author	Adam Jackson <ajax@redhat.com>	2014-10-31 13:21:15 -0400
committer	Bryce Harrington <bryce@osg.samsung.com>	2014-11-06 12:56:18 -0800
commit	a03f2ff72054c9530f98738aac729354a3f56102 (patch)
tree	7d9c4ed1529cd9ac903791e50e2c8c9c1e95f7f7 /src/cairo-xcb-surface-render.c
parent	3cf862f6d973755cd9824c2224fbe0a623c47ff1 (diff)
download	cairo-a03f2ff72054c9530f98738aac729354a3f56102.tar.gz