[gsettings] Invalid write of size 4 in readOption

==9194== Invalid write of size 4
==9194== at 0x4BE98E5: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.3200.1)
==9194== by 0x4BEA6CA: g_variant_iter_loop (in /lib/i386-linux-gnu/libglib-2.0.so.0.3200.1)
==9194== by 0x4086C66: readOption (gsettings.c:336)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSettingsDefault (main.c:2793)
==9194== by 0x4059D40: ccsReadPluginSettings (main.c:2804)
==9194== by 0x404DB32: ccsLoadPluginSettings (compiz.cpp:3256)
==9194== by 0x40570B6: ccsGetPluginSettingsDefault (main.c:4677)
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194== Address 0x63cac68 is 0 bytes after a block of size 0 alloc'd
==9194== at 0x402CE68: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==9194== by 0x4086C38: readOption (gsettings.c:328)
==9194== by 0x4086FB9: readSetting (gsettings.c:1077)
==9194== by 0x405BCB4: ccsReadPluginSettingsDefault (main.c:2793)
==9194== by 0x4059D40: ccsReadPluginSettings (main.c:2804)
==9194== by 0x404DB32: ccsLoadPluginSettings (compiz.cpp:3256)
==9194== by 0x40570B6: ccsGetPluginSettingsDefault (main.c:4677)
==9194== by 0x40BB4D2: (below main) (libc-start.c:226)
==9194==

Offending code:

     Bool *array = malloc (nItems * sizeof (Bool));
     Bool *arrayCounter = array;

     if (!array)
  break;

     /* Reads each item from the variant into the position pointed
      * at by arrayCounter */
     while (g_variant_iter_loop (iter, variantType, arrayCounter))
  *arrayCounter++;

     list = ccsGetValueListFromBoolArray (array, nItems, setting);
     free (array);

It isn't valid to read directly into arrayCounter as its assumed to be initialized memory in use by the iter, and will be freed.