<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><span class="vcard"><a class="email" href="mailto:psychon@znc.in" title="Uli Schlachter <psychon@znc.in>"> <span class="fn">Uli Schlachter</span></a> </span> changed <a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED FIXED - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"" href="https://bugs.freedesktop.org/show_bug.cgi?id=91967">bug 91967</a> <br> <table border="1" cellspacing="0" cellpadding="8"> <tr> <th>What</th> <th>Removed</th> <th>Added</th> </tr> <tr> <td style="text-align:right;">Status</td> <td>NEW </td> <td>RESOLVED </td> </tr> <tr> <td style="text-align:right;">Resolution</td> <td>--- </td> <td>FIXED </td> </tr> <tr> <td style="text-align:right;">Assignee</td> <td>chris@chris-wilson.co.uk </td> <td>psychon@znc.in </td> </tr></table> <p> <div> <b><a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED FIXED - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"" href="https://bugs.freedesktop.org/show_bug.cgi?id=91967#c45">Comment # 45</a> on <a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED FIXED - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"" href="https://bugs.freedesktop.org/show_bug.cgi?id=91967">bug 91967</a> from <span class="vcard"><a class="email" href="mailto:psychon@znc.in" title="Uli Schlachter <psychon@znc.in>"> <span class="fn">Uli Schlachter</span></a> </span></b> <pre>commit d69dd6b341594c338fa6c7b327fd7f201eb37bc1 Author: Uli Schlachter <<a href="mailto:psychon@znc.in">psychon@znc.in</a>> Date: Sat Jun 18 15:08:52 2016 +0200 xlib: Fix double free in _get_image_surface() If XShmGetImage() fails, the code tries to continue with its normal, non-shared-memory path. However, the image variable, which was previously set to NULL, now points to an already-destroyed surface, causing a double-free when the function cleans up after itself (actually, its an assertion failure because the reference count of the surface is zero, but technically this is still a double free). Fix this by setting image=NULL after destroying the surface that this refers to, to make sure this surface will not be destroyed again. While we are here (multiple changes in a single commit are bad...), also fix the cleanup done in bail. In practice, &image->base should be safe when image==NULL, because this just adds some offset to the pointer (the offset here is actually zero, so this doesn't do anything at all). However, the C standard does not require this to be safe, so let's handle this case specially. Note that anything that is fixed by this change is still buggy, because the only reason why XShmGetImage() could fail would be BadDrawable, meaning that the target we draw to does not exist or was already destroyed. This patch will likely just cause X11 errors elsewhere and drawing to (possible) invalid drawables is not supported by cairo anyway. This means that if SHM fails, the following fallback code has a high chance of failing, too. Fixes: <a class="bz_bug_link bz_status_RESOLVED bz_closed" title="RESOLVED FIXED - Assertion "(_cairo_atomic_int_get (&(&surface->ref_count)->ref_count) > 0)"" href="show_bug.cgi?id=91967">https://bugs.freedesktop.org/show_bug.cgi?id=91967</a> Signed-off-by: Uli Schlachter <<a href="mailto:psychon@znc.in">psychon@znc.in</a>></pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>