[cairo-commit] 2 commits - src/cairo-ps-surface.c

Sat Apr 23 05:26:26 UTC 2022

src/cairo-ps-surface.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

New commits:
commit d9a5aa9d97d302c83aab985aff8b112668a82ac2
Merge: 5b662c925 a154424db
Author: Uli Schlachter <psychon at znc.in>
Date:   Sat Apr 23 05:26:22 2022 +0000

    Merge branch 'issue558' into 'master'
    
    fixed double free in _cairo_ps_surface_emit_base85_string
    
    Closes #558
    
    See merge request cairo/cairo!312

commit a154424db3b4c7b906d3e472f57a57afd7c1c1c9
Author: Ayman El Didi <ayman at eldidi.org>
Date:   Wed Apr 20 15:11:14 2022 -0600

    fixed double free in _cairo_ps_surface_emit_base85_string
    
    When taking the CAIRO_PS_COMPRESS_DEFLATE branch of the switch
    statement in _cairo_ps_surface_emit_base85_string, memory is freed
    a second time when closing the deflate_stream fails after performing a
    write.
    
    The status is now simply returned instead of attempting to free it
    again.

diff --git a/src/cairo-ps-surface.c b/src/cairo-ps-surface.c
index b5cf60d1b..5645aae4a 100644
--- a/src/cairo-ps-surface.c
+++ b/src/cairo-ps-surface.c
@@ -2489,6 +2489,7 @@ _cairo_ps_surface_emit_base85_string (cairo_ps_surface_t    *surface,
     unsigned char *data_compressed;
     unsigned long data_compressed_size;
     cairo_status_t status, status2;
+    cairo_status_t this_cannot_be_handled;
 
     if (use_strings)
 	string_array_stream = _base85_strings_stream_create (surface->stream);
@@ -2506,6 +2507,7 @@ _cairo_ps_surface_emit_base85_string (cairo_ps_surface_t    *surface,
 	return _cairo_output_stream_destroy (base85_stream);
     }
 
+    status = 0;
     switch (compress) {
 	case CAIRO_PS_COMPRESS_NONE:
 	    _cairo_output_stream_write (base85_stream, data, length);
@@ -2517,8 +2519,8 @@ _cairo_ps_surface_emit_base85_string (cairo_ps_surface_t    *surface,
 	    data_compressed_size = length;
 	    data_compressed = _cairo_lzw_compress ((unsigned char*)data, &data_compressed_size);
 	    if (unlikely (data_compressed == NULL)) {
-		status = _cairo_output_stream_destroy (string_array_stream);
-		status = _cairo_output_stream_destroy (base85_stream);
+		this_cannot_be_handled = _cairo_output_stream_destroy (string_array_stream);
+		this_cannot_be_handled = _cairo_output_stream_destroy (base85_stream);
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 	    }
 	    _cairo_output_stream_write (base85_stream, data_compressed, data_compressed_size);
@@ -2533,9 +2535,9 @@ _cairo_ps_surface_emit_base85_string (cairo_ps_surface_t    *surface,
 	    _cairo_output_stream_write (deflate_stream, data, length);
 	    status = _cairo_output_stream_destroy (deflate_stream);
 	    if (unlikely (status)) {
-		status2 = _cairo_output_stream_destroy (string_array_stream);
-		status2 = _cairo_output_stream_destroy (base85_stream);
-		return _cairo_output_stream_destroy (deflate_stream);
+		this_cannot_be_handled = _cairo_output_stream_destroy (string_array_stream);
+		this_cannot_be_handled = _cairo_output_stream_destroy (base85_stream);
+		return status;
 	    }
 	    break;
     }
