freed-pool: Don't access beyond the end of the array.

Argh. This bug has been here for quite some time and only showed itself
with a corrupt pointer on ppc32. Since the erroneous write is inside the
block, it remained undetected by valgrind.

src/cairo-freed-pool-private.h

@@ -50,7 +50,7 @@ typedef struct {
     int top;
 } freed_pool_t;
 
-static inline void *
+static cairo_always_inline void *
 _atomic_fetch (void **slot)
 {
     void *ptr;
@@ -62,7 +62,7 @@ _atomic_fetch (void **slot)
     return ptr;
 }
 
-static inline cairo_bool_t
+static cairo_always_inline cairo_bool_t
 _atomic_store (void **slot, void *ptr)
 {
     return _cairo_atomic_ptr_cmpxchg (slot, NULL, ptr);
@@ -100,7 +100,9 @@ _freed_pool_put (freed_pool_t *pool, void *ptr)
     int i;
 
     i = pool->top;
-    if (likely (_atomic_store (&pool->pool[i], ptr))) {
+    if (likely (i < ARRAY_LENGTH (pool->pool) &&
+		_atomic_store (&pool->pool[i], ptr)))
+    {
 	pool->top = i + 1;
 	return;
     }

src/cairo-freed-pool.c

@@ -73,7 +73,7 @@ _freed_pool_put_search (freed_pool_t *pool, void *ptr)
     }
 
     /* full */
-    pool->top = ARRAY_LENGTH (pool->pool);
+    pool->top = i;
     free (ptr);
 }
 
@@ -86,6 +86,8 @@ _freed_pool_reset (freed_pool_t *pool)
 	free (pool->pool[i]);
 	pool->pool[i] = NULL;
     }
+
+    pool->top = 0;
 }
 
 #endif