From 67aa8305117327d14f1a2410be7a6594bd00844f Mon Sep 17 00:00:00 2001
From: Victor Savu <victorsavu3@gmail.com>
Date: Mon, 4 Mar 2013 20:43:33 +0200
Subject: [PATCH] fix use after free

the string created by value.substr(index * 2, 2) is deleted after c_str()
but before strtoul executes. The solution is to use a temporary string
to store the value.
---
 spine-cpp/src/spine/BaseSkeletonJson.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/spine-cpp/src/spine/BaseSkeletonJson.cpp b/spine-cpp/src/spine/BaseSkeletonJson.cpp
index fa42ce0a0..f5ea292f0 100644
--- a/spine-cpp/src/spine/BaseSkeletonJson.cpp
+++ b/spine-cpp/src/spine/BaseSkeletonJson.cpp
@@ -21,8 +21,9 @@ namespace spine {
 static float toColor (const string &value, int index) {
 	if (value.size() != 8) throw runtime_error("Error parsing color, length must be 8: " + value);
 	char *p;
-	int color = strtoul(value.substr(index * 2, 2).c_str(), &p, 16);
-	if (*p != 0) throw runtime_error("Error parsing color: " + value + ", invalid hex value: " + value.substr(index * 2, 2));
+	string tmp = value.substr(index * 2, 2);
+	int color = strtoul(tmp.c_str(), &p, 16);
+	if (*p != 0) throw runtime_error("Error parsing color: " + value + ", invalid hex value: " + tmp);
 	return color / (float)255;
 }