[cairo-commit] 2 commits - src/cairo-pdf-interchange.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Sun Feb 21 15:50:35 UTC 2021 

 src/cairo-pdf-interchange.c |    7 +++++++
 1 file changed, 7 insertions(+)

New commits:
commit c62c43a8c653f5e4d20ef868065d4f882df9768e
Merge: f4e43b682 ac616c270
Author: Heiko Lewin <hlewin at gmx.de>
Date:   Sun Feb 21 15:50:34 2021 +0000

    Merge branch 'pdf-tag-leak' into 'master'
    
    Fix a memory leak with cairo_tag_begin() + pdf
    
    See merge request cairo/cairo!126

commit ac616c270dbcfaf5a70aef97cf989407f757fcbe
Author: Uli Schlachter <psychon at znc.in>
Date:   Sat Feb 13 10:00:42 2021 +0100

    Fix a memory leak with cairo_tag_begin() + pdf
    
    The error paths in _cairo_pdf_interchange_begin_dest_tag() do not clean
    up and cause some memory to be leaked. Fix this by adding the necessary
    free()s.
    
    The first hunk, the missing free(dest) was found by oss-fuzz (see link
    below).
    
    The second hunk is an obvious follow up. It also cleans up the memory
    allocated by _cairo_tag_parse_dest_attributes().
    
    The cleanup in the second hunk is similar to the function
    _named_dest_pluck() in the same function, but that function also removes
    the entry from a hash table.  The error case here is that exactly this
    hash table insertion failed.  Thus, the code cannot simply use the
    already existing function.
    
    Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30880
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-pdf-interchange.c b/src/cairo-pdf-interchange.c
index 0f896d351..434486cc9 100644
--- a/src/cairo-pdf-interchange.c
+++ b/src/cairo-pdf-interchange.c
@@ -1134,13 +1134,20 @@ _cairo_pdf_interchange_begin_dest_tag (cairo_pdf_surface_t    *surface,
 
 	status = _cairo_tag_parse_dest_attributes (attributes, &dest->attrs);
 	if (unlikely (status))
+	{
+	    free (dest);
 	    return status;
+	}
 
 	dest->page = _cairo_array_num_elements (&surface->pages);
 	init_named_dest_key (dest);
 	status = _cairo_hash_table_insert (ic->named_dests, &dest->base);
 	if (unlikely (status))
+	{
+	    free (dest->attrs.name);
+	    free (dest);
 	    return status;
+	}
 
 	_cairo_tag_stack_set_top_data (&ic->analysis_tag_stack, dest);
 	cairo_list_add_tail (&dest->extents.link, &ic->extents_list);

More information about the cairo-commit mailing list