From 130eb6f16d35ccd36d2b5759ba6aa3decb014162 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 15 Jul 2019 07:34:19 -0400
Subject: layout: Avoid access-after-free

insert_run (... TRUE) frees the need_hyphen array,
so we need to check for the hyphen beforehand.
---
 pango/pango-layout.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pango/pango-layout.c b/pango/pango-layout.c
index 37aeed72..fb732d7d 100644
--- a/pango/pango-layout.c
+++ b/pango/pango-layout.c
@@ -3694,8 +3694,9 @@ process_item (PangoLayout     *layout,
 
 	  if (break_num_chars == item->num_chars)
 	    {
+              gboolean insert_hyphen = break_needs_hyphen (layout, state, break_num_chars);
 	      insert_run (line, state, item, TRUE);
-              if (break_needs_hyphen (layout, state, break_num_chars))
+              if (insert_hyphen)
                 insert_hyphen_after (line, state, item);
 
 	      return BREAK_ALL_FIT;
@@ -3707,6 +3708,7 @@ process_item (PangoLayout     *layout,
 	  else
 	    {
 	      PangoItem *new_item;
+              gboolean insert_hyphen = break_needs_hyphen (layout, state, break_num_chars);
 
 	      length = g_utf8_offset_to_pointer (layout->text + item->offset, break_num_chars) - (layout->text + item->offset);
 
@@ -3721,7 +3723,7 @@ process_item (PangoLayout     *layout,
 	      /* Shaped items should never be broken */
 	      g_assert (!shape_set);
 
-              if (break_needs_hyphen (layout, state, break_num_chars))
+              if (insert_hyphen)
                 insert_hyphen_after (line, state, new_item);
 
 	      state->log_widths_offset += break_num_chars;
-- 
cgit v1.2.1