From 32e7f4ee64867779b2def6fcd882708d7b0e2cf5 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Thu, 12 Jul 2012 19:39:10 +0100
Subject: [PATCH] sna/glyphs: Fix array allocation for list_extents

Originally I intended to skip assigning the box on the last list.
However, loop simplicity failed and now we run the risk of writing
beyond the end of stack_extents, and overwriting the list_extents
pointer.

Reported-by: Jiri Slaby <jirislaby@gmail.com>
References: https://bugs.freedesktop.org/show_bug.cgi?id=47597
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/sna/sna_glyphs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sna/sna_glyphs.c b/src/sna/sna_glyphs.c
index cd29b07e..f8959e16 100644
--- a/src/sna/sna_glyphs.c
+++ b/src/sna/sna_glyphs.c
@@ -1049,8 +1049,8 @@ glyphs_format(int nlist, GlyphListPtr list, GlyphPtr * glyphs)
 	BoxRec stack_extents[64], *list_extents = stack_extents;
 	int i, j;
 
-	if (nlist > ARRAY_SIZE(stack_extents) + 1) {
-		list_extents = malloc(sizeof(BoxRec) * (nlist-1));
+	if (nlist > ARRAY_SIZE(stack_extents)) {
+		list_extents = malloc(sizeof(BoxRec) * nlist);
 		if (list_extents == NULL)
 			return NULL;
 	}