From 8dc3b629434ce256f8e6a584c5853ae9b4230c33 Mon Sep 17 00:00:00 2001

From: Adam Jackson <ajax@redhat.com>

Date: Wed, 31 Oct 2012 16:06:51 -0400

Subject: [PATCH 1/2] xlib: Don't crash when swapping a 0-sized glyph

malloc(0) needn't return NULL, and on glibc, doesn't.  Then we encounter

a loop of the form do { ... } while (--c), which doesn't do quite what

you were hoping for when c is initially 0.

Since there's nothing to swap in this case, just bomb out.

Signed-off-by: Adam Jackson <ajax@redhat.com>

---

 src/cairo-xlib-render-compositor.c | 6 ++++++

 1 file changed, 6 insertions(+)

diff --git a/src/cairo-xlib-render-compositor.c b/src/cairo-xlib-render-compositor.c

index 74c43e9..e38a659 100644

--- a/src/cairo-xlib-render-compositor.c

+++ b/src/cairo-xlib-render-compositor.c

@@ -1251,6 +1251,9 @@ _cairo_xlib_surface_add_glyph (cairo_xlib_display_t *display,

 	    unsigned char   *d;

 	    unsigned char   *new, *n;

+	    if (c == 0)

+		break;

+

 	    new = malloc (c);

 	    if (!new) {

 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);

@@ -1276,6 +1279,9 @@ _cairo_xlib_surface_add_glyph (cairo_xlib_display_t *display,

 	    const uint32_t *d;

 	    uint32_t *new, *n;

+	    if (c == 0)

+		break;

+

 	    new = malloc (4 * c);

 	    if (unlikely (new == NULL)) {

 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);

-- 

1.7.12.1