From: Jeff Mahoney <jeffm@suse.com>
Subject: cairo: Fix wrong allocation in _cairo_pdf_surface_add_source_surface
References: bnc#758422

 _cairo_pdf_surface_add_source_surface allocates unique_id with
 size unique_id_length but then copies surface_key.unique_id_length into it.

 This causes e.g. evince to crash predictably while trying to print with:
  *** buffer overflow detected ***: evince terminated

 We should be using surface_key.unique_id_length instead.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 src/cairo-pdf-surface.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/src/cairo-pdf-surface.c
+++ b/src/cairo-pdf-surface.c
@@ -1379,7 +1379,7 @@ _cairo_pdf_surface_add_source_surface (c
 	    goto release_source;
 
 	if (surface_key.unique_id && surface_key.unique_id_length > 0) {
-	    unique_id = malloc (unique_id_length);
+	    unique_id = malloc (surface_key.unique_id_length);
 	    if (unique_id == NULL) {
 		status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
 		goto release_source;