sna/glyphs: Fix array allocation for list_extents

Originally I intended to skip assigning the box on the last list. However, loop simplicity failed and now we run the risk of writing beyond the end of stack_extents, and overwriting the list_extents pointer. Reported-by: Jiri Slaby <jirislaby@gmail.com> References: https://bugs.freedesktop.org/show_bug.cgi?id=47597 Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
author: Chris Wilson <chris@chris-wilson.co.uk> 2012-07-12 19:39:10 +0100
committer: Chris Wilson <chris@chris-wilson.co.uk> 2012-07-12 19:39:10 +0100
commit: 32e7f4ee64867779b2def6fcd882708d7b0e2cf5 (patch)
tree: 387ea28f0ecea90bea1c88295f162be6c671cd73 /src
parent: 0477b5fb6f040f3bad86bb314a24df1bcd660aed (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sna/sna_glyphs.c b/src/sna/sna_glyphs.c
index cd29b07e..f8959e16 100644
--- a/src/sna/sna_glyphs.c
+++ b/src/sna/sna_glyphs.c
@@ -1049,8 +1049,8 @@ glyphs_format(int nlist, GlyphListPtr list, GlyphPtr * glyphs)
 	BoxRec stack_extents[64], *list_extents = stack_extents;
 	int i, j;
 
-	if (nlist > ARRAY_SIZE(stack_extents) + 1) {
-		list_extents = malloc(sizeof(BoxRec) * (nlist-1));
+	if (nlist > ARRAY_SIZE(stack_extents)) {
+		list_extents = malloc(sizeof(BoxRec) * nlist);
 		if (list_extents == NULL)
 			return NULL;
 	}
author	Chris Wilson <chris@chris-wilson.co.uk>	2012-07-12 19:39:10 +0100
committer	Chris Wilson <chris@chris-wilson.co.uk>	2012-07-12 19:39:10 +0100
commit	32e7f4ee64867779b2def6fcd882708d7b0e2cf5 (patch)
tree	387ea28f0ecea90bea1c88295f162be6c671cd73 /src
parent	0477b5fb6f040f3bad86bb314a24df1bcd660aed (diff)