[cairo-commit] 2 commits - src/cairo-cff-subset.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Jul 20 12:00:06 UTC 2021 

 src/cairo-cff-subset.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit 06f405c775f46e29a7cc89b03fba9ab71a3f2623
Merge: 08f2fb6b2 fc1d6caa8
Author: Adrian Johnson <ajohnson at redneon.com>
Date:   Tue Jul 20 12:00:05 2021 +0000

    Merge branch 'cff-subset-leak' into 'master'
    
    Fix memory leak in cairo_cff_font_read_cid_fontdict
    
    See merge request cairo/cairo!192

commit fc1d6caa8c1a161f201ea6dd76eae7ab797713f2
Author: Uli Schlachter <psychon at znc.in>
Date:   Sat Jun 26 14:03:34 2021 +0200

    Fix memory leak in cairo_cff_font_read_cid_fontdict
    
    The function cairo_cff_font_read_cid_fontdict() has a local variable
    "cairo_array_t index". This array is first filled with data from the
    font with cff_index_read(). Later in this function, each resulting entry
    is given to cff_dict_read(). Nothing else is done with the array.
    
    Thus, nothing can keep a reference to "index" and thus this array has to
    be finalised at the end of the function to avoid a memory leak.
    
    This commit does that by falling through to the call to cff_index_fini()
    that is already there in the error case. This function checks for each
    element if its ->is_copy is true and then frees the data. However,
    cff_index_read() only creates elements with ->is_copy = FALSE, thus this
    does not do anything. At the end, this calls _cairo_array_fini() which
    frees the array's memory.
    
    Fixes the following memory leak according to valgrind:
    
     24 bytes in 1 blocks are definitely lost in loss record 173 of 490
        at 0x48386AF: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
        by 0x483ADE7: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
        by 0x4A5ECC3: _cairo_array_grow_by (cairo-array.c:115)
        by 0x4A5EEEE: _cairo_array_allocate (cairo-array.c:317)
        by 0x4A5EE95: _cairo_array_append_multiple (cairo-array.c:288)
        by 0x4A5EE6B: _cairo_array_append (cairo-array.c:265)
        by 0x4AFB12E: cff_index_read (cairo-cff-subset.c:438)
        by 0x4AFC280: cairo_cff_font_read_cid_fontdict (cairo-cff-subset.c:1022)
        by 0x4AFCD42: cairo_cff_font_read_top_dict (cairo-cff-subset.c:1232)
        by 0x4AFD145: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
        by 0x4AFFDC0: cairo_cff_font_generate (cairo-cff-subset.c:2583)
        by 0x4B00D71: _cairo_cff_subset_init (cairo-cff-subset.c:2975)
    
    Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30650
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 8548ae3fe..be37724b4 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1108,7 +1108,7 @@ cairo_cff_font_read_cid_fontdict (cairo_cff_font_t *font, unsigned char *ptr)
             goto fail;
     }
 
-    return CAIRO_STATUS_SUCCESS;
+    status = CAIRO_STATUS_SUCCESS;
 
 fail:
     cff_index_fini (&index);

More information about the cairo-commit mailing list