[cairo-commit] 2 commits - src/cairo-spans-compositor.c

Fri Jan 22 19:00:12 UTC 2021

src/cairo-spans-compositor.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 48194cf093d6eadf1a64f45d76b1fe001f467a05
Merge: ee90ce594 b345be5af
Author: Uli Schlachter <psychon at znc.in>
Date:   Fri Jan 22 19:00:10 2021 +0000

    Merge branch 'fill-use-after-free' into 'master'
    
    Avoid use after free in cairo_fill
    
    See merge request cairo/cairo!116

commit b345be5afeee60c04414867ea6eb671793880ecd
Author: Matthias Clasen <mclasen at redhat.com>
Date:   Fri Jan 22 13:28:44 2021 -0500

    Avoid a use-after-free
    
    asan was complaining that the limits struct goes out
    of scope before it is used via the pointer in the polygon struct,
    and it is right:
    
    ==386746==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd3ccebdfc at pc 0x7f783d5eaaee bp 0x7ffd3cceba80 sp 0x7ffd3cceba70
    READ of size 4 at 0x7ffd3ccebdfc thread T0
        #0 0x7f783d5eaaed in _add_clipped_edge ../src/cairo-polygon.c:351
        #1 0x7f783d5ebba3 in _cairo_polygon_add_edge ../src/cairo-polygon.c:520
        #2 0x7f783d5ebc82 in _cairo_polygon_add_external_edge ../src/cairo-polygon.c:530
        #3 0x7f783d582149 in _cairo_filler_line_to ../src/cairo-path-fill.c:63
        #4 0x7f783d588d9c in _cairo_path_fixed_interpret ../src/cairo-path-fixed.c:831
        #5 0x7f783d582a44 in _cairo_path_fixed_fill_to_polygon ../src/cairo-path-fill.c:147
        #6 0x7f783d6204fe in _cairo_spans_compositor_fill ../src/cairo-spans-compositor.c:1151
        #7 0x7f783d5126de in _cairo_compositor_fill ../src/cairo-compositor.c:203
        #8 0x7f783d5571f9 in _cairo_image_surface_fill ../src/cairo-image-surface.c:1003
        #9 0x7f783d647f2f in _cairo_surface_fill ../src/cairo-surface.c:2424
        #10 0x7f783d52ebea in _cairo_gstate_fill ../src/cairo-gstate.c:1312
        #11 0x7f783d51cca4 in _cairo_default_context_fill ../src/cairo-default-context.c:1057
        #12 0x7f783d6812d6 in cairo_fill ../src/cairo.c:2421

diff --git a/src/cairo-spans-compositor.c b/src/cairo-spans-compositor.c
index efbae254b..5f956ca98 100644
--- a/src/cairo-spans-compositor.c
+++ b/src/cairo-spans-compositor.c
@@ -1128,6 +1128,7 @@ _cairo_spans_compositor_fill (const cairo_compositor_t		*_compositor,
     }
     if (status == CAIRO_INT_STATUS_UNSUPPORTED) {
 	cairo_polygon_t polygon;
+	cairo_box_t limits;
 
 	TRACE((stderr, "%s - polygon\n", __FUNCTION__));
 
@@ -1138,7 +1139,6 @@ _cairo_spans_compositor_fill (const cairo_compositor_t		*_compositor,
 	    if (extents->clip->num_boxes == 1) {
 		_cairo_polygon_init (&polygon, extents->clip->boxes, 1);
 	    } else {
-		cairo_box_t limits;
 		_cairo_box_from_rectangle (&limits, &extents->unbounded);
 		_cairo_polygon_init (&polygon, &limits, 1);
 	    }
