broadway: Fix possible access-after-free

author Alexander Larsson <alexl@redhat.com>

Wed, 19 Dec 2012 20:57:58 +0000 (21:57 +0100)

committer Alexander Larsson <alexl@redhat.com>

Wed, 19 Dec 2012 23:00:16 +0000 (00:00 +0100)
author Alexander Larsson <alexl@redhat.com>
Wed, 19 Dec 2012 20:57:58 +0000 (21:57 +0100)
committer Alexander Larsson <alexl@redhat.com>
Wed, 19 Dec 2012 23:00:16 +0000 (00:00 +0100)
diff --git a/gdk/broadway/broadway.c b/gdk/broadway/broadway.c

index d16111e06e1a599cfbf5328193a6a0e4507a9920..157b3c1b7e50479a1a32e50e19f0a266e9fe52ae 100644 (file)
--- a/gdk/broadway/broadway.c
+++ b/gdk/broadway/broadway.c
@@ -351,12 +351,12 @@ static void
  append_uint16 (BroadwayOutput *output, guint32 v)
  {
    gsize old_len = output->buf->len;
+  guint8 *buf;
  
    if (output->binary)
      {
-      guint8 *buf = (guint8 *)output->buf->str + old_len;
-
        g_string_set_size (output->buf, old_len + 2);
+      buf = (guint8 *)output->buf->str + old_len;
        buf[0] = (v >> 0) & 0xff;
        buf[1] = (v >> 8) & 0xff;
      }
@@ -371,12 +371,12 @@ static void
  append_uint32 (BroadwayOutput *output, guint32 v)
  {
    gsize old_len = output->buf->len;
+  guint8 *buf;
  
    if (output->binary)
      {
-      guint8 *buf = (guint8 *)output->buf->str + old_len;
-
        g_string_set_size (output->buf, old_len + 4);
+      buf = (guint8 *)output->buf->str + old_len;
        buf[0] = (v >> 0) & 0xff;
        buf[1] = (v >> 8) & 0xff;
        buf[2] = (v >> 16) & 0xff;
author	Alexander Larsson <alexl@redhat.com>
	Wed, 19 Dec 2012 20:57:58 +0000 (21:57 +0100)
committer	Alexander Larsson <alexl@redhat.com>
	Wed, 19 Dec 2012 23:00:16 +0000 (00:00 +0100)