[cairo-commit] 3 commits - src/cairo-mono-scan-converter.c src/cairo-scaled-font.c

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Fri Apr 22 15:49:57 UTC 2022 

 src/cairo-mono-scan-converter.c |    1 -
 src/cairo-scaled-font.c         |    2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

New commits:
commit 06143050939846738080726ba29e1adf96a3a75c
Merge: 04232d987 fa8f456c2
Author: Uli Schlachter <psychon at znc.in>
Date:   Fri Apr 22 15:49:56 2022 +0000

    Merge branch 'fix-double-free-mono-scan' into 'master'
    
    Fix a double free in _cairo_mono_scan_converter_create
    
    Closes #557
    
    See merge request cairo/cairo!313

commit fa8f456c2b7a061ca379a86931d5cc99b7edf42d
Author: Feysh INC <opensource at feysh.com>
Date:   Fri Apr 22 17:09:47 2022 +0800

    Fix a use after free in cairo_scaled_font_create
    
    When `font_face` is freed by `cairo_font_face_destroy()` at line 1,150,
    the following call `_cairo_font_face_set_error (font_face, status)`
    causes a use after free.
    
    We moved up the `_cairo_font_face_set_error (font_face, status)` before
    `cairo_font_face_destroy()` to avoid the use after free.
    
    Signed-off-by: Feysh INC <opensource at feysh.com>

diff --git a/src/cairo-scaled-font.c b/src/cairo-scaled-font.c
index 30611dca4..270f8ed34 100755
--- a/src/cairo-scaled-font.c
+++ b/src/cairo-scaled-font.c
@@ -1145,6 +1145,7 @@ cairo_scaled_font_create (cairo_font_face_t          *font_face,
 						     ctm, options, &scaled_font);
     /* Did we leave the backend in an error state? */
     if (unlikely (status)) {
+	status = _cairo_font_face_set_error (font_face, status);
 	_cairo_scaled_font_map_unlock ();
 	if (font_face != original_font_face)
 	    cairo_font_face_destroy (font_face);
@@ -1152,7 +1153,6 @@ cairo_scaled_font_create (cairo_font_face_t          *font_face,
 	if (dead != NULL)
 	    cairo_scaled_font_destroy (dead);
 
-	status = _cairo_font_face_set_error (font_face, status);
 	return _cairo_scaled_font_create_in_error (status);
     }
     /* Or did we encounter an error whilst constructing the scaled font? */
commit 99cd4bb3bd51bc62a2c8b5f9f4b6eda7625f0b96
Author: Feysh INC <opensource at feysh.com>
Date:   Fri Apr 22 16:43:59 2022 +0800

    Fix a double free in _cairo_mono_scan_converter_create
    
    When `_mono_scan_converter_init` failed,
    `self->converter->polygon` will be freed by `polygon_fini()`. However,
    the `bail` branch still called `polygon_fini()` to free
    `self->converter->polygon`.
    
    We remvoe the redundant `polygon_fini()` in `_mono_scan_converter_init`
    to avoid the double free.
    
    This fixes #557.
    
    Signed-off-by: Feysh INC <opensource at feysh.com>

diff --git a/src/cairo-mono-scan-converter.c b/src/cairo-mono-scan-converter.c
index 891f435c9..69168bd5d 100644
--- a/src/cairo-mono-scan-converter.c
+++ b/src/cairo-mono-scan-converter.c
@@ -403,7 +403,6 @@ _mono_scan_converter_init(struct mono_scan_converter *c,
 	c->spans = _cairo_malloc_ab (max_num_spans,
 				     sizeof (cairo_half_open_span_t));
 	if (unlikely (c->spans == NULL)) {
-	    polygon_fini (c->polygon);
 	    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	}
     } else

More information about the cairo-commit mailing list