[cairo-commit] 2 commits - src/cairo-surface.c
Chris Wilson
ickle at kemper.freedesktop.org
Sat Feb 2 01:01:36 PST 2013
src/cairo-surface.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
New commits:
commit 10110d58cee179cded8e4c4ff8a8d02c477585bd
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Sat Feb 2 08:47:26 2013 +0000
surface: Prevent reads from the user-data arrays during teardown
In a similar fashion to the previous commit, we also need to be wary of
users simply trying to read from a potentially freed user-data array.
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index 5ec659e..5c6969c 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -1096,6 +1096,10 @@ void *
cairo_surface_get_user_data (cairo_surface_t *surface,
const cairo_user_data_key_t *key)
{
+ /* Prevent reads of the array during teardown */
+ if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+ return NULL;
+
return _cairo_user_data_array_get_data (&surface->user_data, key);
}
@@ -1157,7 +1161,9 @@ cairo_surface_get_mime_data (cairo_surface_t *surface,
*data = NULL;
*length = 0;
- if (unlikely (surface->status))
+
+ /* Prevent reads of the array during teardown */
+ if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
return;
/* The number of mime-types attached to a surface is usually small,
commit 18cff63e3d288bf2d7773760f2ab25c80a4a2bc1
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Sat Feb 2 08:47:26 2013 +0000
surface: Prevent writes to the user-data arrays during teardown
As we cleanup the user-data arrays, we call the user provided destroy
notifier callbacks. These callbacks are at liberty to write back into
the parent surface, and in particular try to write into the arrays that
we have just freed. This causes hard to control and fairly unpredictable
use-after-frees in the client, so lets just rule out the dangerous
behaviour.
References:https://bugzilla.mozilla.org/show_bug.cgi?id=722975
Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>
diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index ffffef8..5ec659e 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -1126,6 +1126,9 @@ cairo_surface_set_user_data (cairo_surface_t *surface,
if (CAIRO_REFERENCE_COUNT_IS_INVALID (&surface->ref_count))
return surface->status;
+ if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+ return _cairo_error (CAIRO_STATUS_SURFACE_FINISHED);
+
return _cairo_user_data_array_set_data (&surface->user_data,
key, user_data, destroy);
}
@@ -1276,6 +1279,12 @@ cairo_surface_set_mime_data (cairo_surface_t *surface,
cairo_status_t status;
cairo_mime_data_t *mime_data;
+ if (CAIRO_REFERENCE_COUNT_IS_INVALID (&surface->ref_count))
+ return surface->status;
+
+ if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+ return _cairo_error (CAIRO_STATUS_SURFACE_FINISHED);
+
if (unlikely (surface->status))
return surface->status;
if (unlikely (surface->finished))
More information about the cairo-commit
mailing list