[cairo-commit] 2 commits - src/cairo-surface.c

Chris Wilson ickle at kemper.freedesktop.org
Sat Feb 2 01:01:36 PST 2013


 src/cairo-surface.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

New commits:
commit 10110d58cee179cded8e4c4ff8a8d02c477585bd
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Sat Feb 2 08:47:26 2013 +0000

    surface: Prevent reads from the user-data arrays during teardown
    
    In a similar fashion to the previous commit, we also need to be wary of
    users simply trying to read from a potentially freed user-data array.
    
    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index 5ec659e..5c6969c 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -1096,6 +1096,10 @@ void *
 cairo_surface_get_user_data (cairo_surface_t		 *surface,
 			     const cairo_user_data_key_t *key)
 {
+    /* Prevent reads of the array during teardown */
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+	return NULL;
+
     return _cairo_user_data_array_get_data (&surface->user_data, key);
 }
 
@@ -1157,7 +1161,9 @@ cairo_surface_get_mime_data (cairo_surface_t		*surface,
 
     *data = NULL;
     *length = 0;
-    if (unlikely (surface->status))
+
+    /* Prevent reads of the array during teardown */
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
 	return;
 
     /* The number of mime-types attached to a surface is usually small,
commit 18cff63e3d288bf2d7773760f2ab25c80a4a2bc1
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Sat Feb 2 08:47:26 2013 +0000

    surface: Prevent writes to the user-data arrays during teardown
    
    As we cleanup the user-data arrays, we call the user provided destroy
    notifier callbacks. These callbacks are at liberty to write back into
    the parent surface, and in particular try to write into the arrays that
    we have just freed. This causes hard to control and fairly unpredictable
    use-after-frees in the client, so lets just rule out the dangerous
    behaviour.
    
    References:https://bugzilla.mozilla.org/show_bug.cgi?id=722975
    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index ffffef8..5ec659e 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -1126,6 +1126,9 @@ cairo_surface_set_user_data (cairo_surface_t		 *surface,
     if (CAIRO_REFERENCE_COUNT_IS_INVALID (&surface->ref_count))
 	return surface->status;
 
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+	return _cairo_error (CAIRO_STATUS_SURFACE_FINISHED);
+
     return _cairo_user_data_array_set_data (&surface->user_data,
 					    key, user_data, destroy);
 }
@@ -1276,6 +1279,12 @@ cairo_surface_set_mime_data (cairo_surface_t		*surface,
     cairo_status_t status;
     cairo_mime_data_t *mime_data;
 
+    if (CAIRO_REFERENCE_COUNT_IS_INVALID (&surface->ref_count))
+	return surface->status;
+
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+	return _cairo_error (CAIRO_STATUS_SURFACE_FINISHED);
+
     if (unlikely (surface->status))
 	return surface->status;
     if (unlikely (surface->finished))


More information about the cairo-commit mailing list