cssselector: Ensure we do not index out of bounds

This would only happen if the last element was deprecated, but it should
be avoided anyway.

CID 1388852 (#1 of 1): Out-of-bounds read (OVERRUN)
12. overrun-local: Overrunning array pseudo_classes of 16 32-byte
elements at element index 16 (byte offset 512) using index i + 1U (which
evaluates to 16).

diff --git a/gtk/gtkcssselector.c b/gtk/gtkcssselector.c
index b2b0260af7262a42d3a52447d3604455328d30cd..40c43559f5297863ffe352c4e629930de07bcf69 100644 (file)
--- a/gtk/gtkcssselector.c
+++ b/gtk/gtkcssselector.c
@@ -1124,8 +1124,8 @@ parse_selector_pseudo_class (GtkCssParser   *parser,
     { "visited",       0, GTK_STATE_FLAG_VISITED, },
     { "checked",       0, GTK_STATE_FLAG_CHECKED, },
     { "drop(active)",  0, GTK_STATE_FLAG_DROP_ACTIVE, }
-
   };
+
   guint i;
 
   if (_gtk_css_parser_try (parser, "nth-child", FALSE))
@@ -1145,7 +1145,8 @@ parse_selector_pseudo_class (GtkCssParser   *parser,
               selector->state.state = pseudo_classes[i].state_flag;
               if (pseudo_classes[i].deprecated)
                 {
-                  if (pseudo_classes[i + 1].state_flag == pseudo_classes[i].state_flag)
+                  if (i + 1 < G_N_ELEMENTS (pseudo_classes) &&
+                      pseudo_classes[i + 1].state_flag == pseudo_classes[i].state_flag)
                     _gtk_css_parser_error_full (parser,
                                                 GTK_CSS_PROVIDER_ERROR_DEPRECATED,
                                                 "The :%s pseudo-class is deprecated. Use :%s instead.",