patch 9.0.2118: [security]: avoid double-free in get_style_font_variants

Problem:  [security]: avoid double-free
Solution: Only fee plain_font, when it is not the same as bold_font

When plain_font == bold_font and bold_font is not NULL, we may end up
trying to free bold_font again, which already has been freed a few lines
above.

So only free bold_font, when the condition gui.font_can_bold is true,
which means that bold_font is not pointing to plain_font (so it needs to
be freed separately).

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/gui_gtk_x11.c b/src/gui_gtk_x11.c
index 4b3f53ef91a59b8c26e0b263cd38bf52e84524cc..87838b948881459ba7b4cd4244f7257d903b1bf3 100644 (file)
--- a/src/gui_gtk_x11.c
+++ b/src/gui_gtk_x11.c
@@ -5048,7 +5048,8 @@ get_styled_font_variants(void)
     }
 
     pango_font_description_free(bold_font_desc);
-    g_object_unref(plain_font);
+    if (bold_font != NULL && gui.font_can_bold)
+       g_object_unref(plain_font);
 }
 
 static PangoEngineShape *default_shape_engine = NULL;

diff --git a/src/version.c b/src/version.c
index 6994b3402cb487ba07eae5cef3aa958180cc3861..78446d57c42fba9a173a27a620972b7e3ed30cfd 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2118,
 /**/
     2117,
 /**/