rsvg-load: Fix use-after-free in style_handler_end()

... because this function never gets called.  This is because in
sax_end_element_cb(), load->handler_nest is never > 0 when we are
about to call the end_element function of the current handler.  This
is wrong; will fix shortly.
parent 0319fa11
......@@ -200,12 +200,13 @@ static void
style_handler_end (RsvgSaxHandler * self, const char *name)
{
RsvgSaxHandlerStyle *z = (RsvgSaxHandlerStyle *) self;
RsvgSaxHandler *prev = z->parent;
RsvgSaxHandler *previous = z->parent;
RsvgLoad *load = z->load;
if (!strcmp (name, "style")) {
if (z->load->handler != NULL) {
z->load->handler->free (z->load->handler);
z->load->handler = prev;
if (load->handler != NULL) {
load->handler->free (load->handler);
load->handler = previous;
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment