AVoid a use-after-free in pango_attr_list_change

This was showing up as crashes in pitivi and inkscape.

The added test does not crash, but it does produce
the wrong result without the fix.

Fixes: #678

2 files changed, 26 insertions, 0 deletions

diff --git a/pango/pango-attributes.c b/pango/pango-attributes.c
index 4d7111fa..20809afc 100644
--- a/pango/pango-attributes.c
+++ b/pango/pango-attributes.c
@@ -2157,6 +2157,9 @@ pango_attr_list_change (PangoAttrList  *list,
       if (tmp_attr->klass->type != attr->klass->type)
         continue;
 
+      if (tmp_attr == attr)
+        continue;
+
       if (tmp_attr->end_index <= attr->end_index ||
           pango_attribute_equal (tmp_attr, attr))
         {
diff --git a/tests/testattributes.c b/tests/testattributes.c
index 4a6b69b4..5d3334e8 100644
--- a/tests/testattributes.c
+++ b/tests/testattributes.c
@@ -1398,6 +1398,28 @@ test_change_order (void)
   pango_attr_list_unref (list);
 }
 
+static void
+test_pitivi_crash (void)
+{
+  PangoAttrList *list;
+  PangoAttribute *attr;
+
+  list = pango_attr_list_from_string ("0 8 font-features \"tnum=1\"\n"
+                                      "0 20 font-desc \"sans-serif\"\n"
+                                      "0 9 size 102400\n");
+
+  attr = pango_attr_font_features_new ("tnum=2");
+  attr->end_index = 9;
+
+  pango_attr_list_change (list, attr);
+
+  assert_attr_list (list, "0 9 font-features \"tnum=2\"\n"
+                          "0 20 font-desc \"sans-serif\"\n"
+                          "0 9 size 102400\n");
+
+  pango_attr_list_unref (list);
+}
+
 int
 main (int argc, char *argv[])
 {
@@ -1439,6 +1461,7 @@ main (int argc, char *argv[])
   g_test_add_func ("/attributes/iter/epsilon_zero", test_iter_epsilon_zero);
   g_test_add_func ("/attributes/gnumeric-splice", test_gnumeric_splice);
   g_test_add_func ("/attributes/list/change_order", test_change_order);
+  g_test_add_func ("/attributes/pitivi-crash", test_pitivi_crash);
 
   return g_test_run ();
 }