From 54714cb22882ba97eb08a3b5eb0f0b0718a75665 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Wed, 19 Dec 2012 21:57:58 +0100
Subject: [PATCH] broadway: Fix possible access-after-free

We need to calculate the buf pointer after the realloc.
---
 gdk/broadway/broadway.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gdk/broadway/broadway.c b/gdk/broadway/broadway.c
index d16111e06e..157b3c1b7e 100644
--- a/gdk/broadway/broadway.c
+++ b/gdk/broadway/broadway.c
@@ -351,12 +351,12 @@ static void
 append_uint16 (BroadwayOutput *output, guint32 v)
 {
   gsize old_len = output->buf->len;
+  guint8 *buf;
 
   if (output->binary)
     {
-      guint8 *buf = (guint8 *)output->buf->str + old_len;
-
       g_string_set_size (output->buf, old_len + 2);
+      buf = (guint8 *)output->buf->str + old_len;
       buf[0] = (v >> 0) & 0xff;
       buf[1] = (v >> 8) & 0xff;
     }
@@ -371,12 +371,12 @@ static void
 append_uint32 (BroadwayOutput *output, guint32 v)
 {
   gsize old_len = output->buf->len;
+  guint8 *buf;
 
   if (output->binary)
     {
-      guint8 *buf = (guint8 *)output->buf->str + old_len;
-
       g_string_set_size (output->buf, old_len + 4);
+      buf = (guint8 *)output->buf->str + old_len;
       buf[0] = (v >> 0) & 0xff;
       buf[1] = (v >> 8) & 0xff;
       buf[2] = (v >> 16) & 0xff;
-- 
2.30.2