[cairo-commit] 2 commits - src/cairo-output-stream.c src/cairo-script-surface.c test/bug-277.c test/Makefile.sources test/meson.build
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Sat Dec 31 15:14:01 UTC 2022
src/cairo-output-stream.c | 15 +------
src/cairo-script-surface.c | 12 +++++
test/Makefile.sources | 3 -
test/bug-277.c | 94 +++++++++++++++++++++++++++++++++++++++++++++
test/meson.build | 3 -
5 files changed, 113 insertions(+), 14 deletions(-)
New commits:
commit 7de261b0b16f2eec4dbe7d64484e9b5fc9a95e19
Merge: 001df8ad1 6a81bf820
Author: Uli Schlachter <psychon at znc.in>
Date: Sat Dec 31 15:13:59 2022 +0000
Merge branch 'script-bug-277' into 'master'
script: Implement device finish
Closes #277
See merge request cairo/cairo!292
diff --cc test/Makefile.sources
index ab41aac5f,a2f5bf0e2..6a5b57575
--- a/test/Makefile.sources
+++ b/test/Makefile.sources
@@@ -24,11 -24,11 +24,12 @@@ test_sources =
bug-spline.c \
big-trap.c \
bilevel-image.c \
- bug-40410.c \
+ bug-277.c \
bug-361.c \
+ bug-40410.c \
bug-431.c \
bug-448.c \
+ bug-535.c \
bug-51910.c \
bug-75705.c \
bug-84115.c \
diff --cc test/meson.build
index 4638dcca6,d23961693..74e059b39
--- a/test/meson.build
+++ b/test/meson.build
@@@ -24,11 -24,11 +24,12 @@@ test_sources =
'bug-spline.c',
'big-trap.c',
'bilevel-image.c',
- 'bug-40410.c',
+ 'bug-277.c',
'bug-361.c',
+ 'bug-40410.c',
'bug-431.c',
'bug-448.c',
+ 'bug-535.c',
'bug-51910.c',
'bug-75705.c',
'bug-84115.c',
commit 6a81bf8201ddeb8ff9b2174facc35e4076f08dd8
Author: Uli Schlachter <psychon at znc.in>
Date: Wed Mar 2 16:13:28 2022 +0100
script: Implement device finish
Before this commit, calling cairo_device_finish() on a cairo-script
context did not actually do anything in the backend. Thus, it was
possible to continue emitting output on the script context even after it
was finished, which means that API user had no way of preventing
use-after-free bugs in their write callback. Bug 277 triggers this via
detaching a snapshot, but I guess one could also simply continue drawing
to a script surface.
This commit implements the finish function by closing the underlying
stream.
However, that was not enough to fix things. This commit also turns
writing into a stream into a no-op after the stream was closed.
I checked that the new test case actually fails before this commit and
is indeed fixed by it.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/277
Signed-off-by: Uli Schlachter <psychon at znc.in>
diff --git a/src/cairo-output-stream.c b/src/cairo-output-stream.c
index 826c9cf8e..7305b52ca 100644
--- a/src/cairo-output-stream.c
+++ b/src/cairo-output-stream.c
@@ -259,11 +259,13 @@ void
_cairo_output_stream_write (cairo_output_stream_t *stream,
const void *data, size_t length)
{
- if (length == 0)
+ if (length == 0 || stream->status)
return;
- if (stream->status)
+ if (stream->closed) {
+ stream->status = CAIRO_STATUS_WRITE_ERROR;
return;
+ }
stream->status = stream->write_func (stream, data, length);
stream->position += length;
@@ -278,9 +280,6 @@ _cairo_output_stream_write_hex_string (cairo_output_stream_t *stream,
char buffer[2];
unsigned int i, column;
- if (stream->status)
- return;
-
for (i = 0, column = 0; i < length; i++, column++) {
if (column == 38) {
_cairo_output_stream_write (stream, "\n", 1);
@@ -407,9 +406,6 @@ _cairo_output_stream_vprintf (cairo_output_stream_t *stream,
int length_modifier, width;
cairo_bool_t var_width;
- if (stream->status)
- return;
-
f = fmt;
p = buffer;
while (*f != '\0') {
@@ -786,9 +782,6 @@ _cairo_memory_stream_copy (cairo_output_stream_t *base,
{
memory_stream_t *stream = (memory_stream_t *) base;
- if (dest->status)
- return;
-
if (base->status) {
dest->status = base->status;
return;
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index ca9bafbb7..0abf4d029 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -2112,6 +2112,16 @@ _device_flush (void *abstract_device)
return _cairo_output_stream_flush (ctx->stream);
}
+static void
+_device_finish (void *abstract_device)
+{
+ cairo_script_context_t *ctx = abstract_device;
+
+ cairo_status_t status = _cairo_output_stream_close (ctx->stream);
+ status = _cairo_device_set_error (&ctx->base, status);
+ (void) status;
+}
+
static void
_device_destroy (void *abstract_device)
{
@@ -3731,7 +3741,7 @@ static const cairo_device_backend_t _cairo_script_device_backend = {
NULL, NULL, /* lock, unlock */
_device_flush, /* flush */
- NULL, /* finish */
+ _device_finish, /* finish */
_device_destroy
};
diff --git a/test/Makefile.sources b/test/Makefile.sources
index c180289ab..a2f5bf0e2 100644
--- a/test/Makefile.sources
+++ b/test/Makefile.sources
@@ -24,8 +24,9 @@ test_sources = \
bug-spline.c \
big-trap.c \
bilevel-image.c \
- bug-40410.c \
+ bug-277.c \
bug-361.c \
+ bug-40410.c \
bug-431.c \
bug-448.c \
bug-51910.c \
diff --git a/test/bug-277.c b/test/bug-277.c
new file mode 100644
index 000000000..f4de539a4
--- /dev/null
+++ b/test/bug-277.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright © 2022 Uli Schlachter
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *
+ * Author: Uli Schlachter <psychon at znc.in>
+ */
+
+#include "cairo-test.h"
+#include "cairo-script.h"
+
+struct write_data {
+ cairo_bool_t finished;
+ cairo_test_status_t test_status;
+};
+
+static cairo_surface_t*
+create_recording_surface ()
+{
+ /* Create a non-empty recording surface with arbitrary content */
+ cairo_surface_t *surf = cairo_recording_surface_create (CAIRO_CONTENT_COLOR, NULL);
+ cairo_t *cr = cairo_create (surf);
+
+ cairo_move_to (cr, 0, 0);
+ cairo_line_to (cr, 10, 0);
+ cairo_stroke (cr);
+
+ cairo_destroy (cr);
+ return surf;
+}
+
+static cairo_status_t
+write_func(void *closure, const unsigned char* bytes, unsigned int length)
+{
+ struct write_data *data = closure;
+ (void) bytes; (void) length;
+
+ if (data->finished)
+ data->test_status = CAIRO_TEST_ERROR;
+
+ return CAIRO_STATUS_SUCCESS;
+}
+
+static cairo_test_status_t
+preamble (cairo_test_context_t *ctx)
+{
+ struct write_data write_data = { FALSE, CAIRO_TEST_SUCCESS };
+ cairo_device_t *script_device = cairo_script_create_for_stream (write_func, &write_data);
+ cairo_surface_t *recording = create_recording_surface ();
+ cairo_surface_t *script;
+ cairo_t *cr;
+
+ /* Draw the recording surface to a script surface */
+ script = cairo_script_surface_create (script_device, CAIRO_CONTENT_COLOR, 5, 5);
+ cr = cairo_test_create (script, ctx);
+ cairo_set_source_surface (cr, recording, 0, 0);
+ cairo_paint (cr);
+ cairo_destroy (cr);
+ cairo_surface_destroy (script);
+
+ /* Finish the script device; no further writing allowed afterwards */
+ cairo_device_finish (script_device);
+ write_data.finished = TRUE;
+ cairo_device_destroy (script_device);
+
+ cairo_surface_destroy (recording);
+
+ return write_data.test_status;
+}
+
+CAIRO_TEST (bug_277,
+ "Regression test: Script surface emitting test after finish()",
+ NULL, /* keywords */
+ NULL, /* requirements */
+ 0, 0,
+ preamble, NULL)
diff --git a/test/meson.build b/test/meson.build
index c0be0e086..d23961693 100644
--- a/test/meson.build
+++ b/test/meson.build
@@ -24,8 +24,9 @@ test_sources = [
'bug-spline.c',
'big-trap.c',
'bilevel-image.c',
- 'bug-40410.c',
+ 'bug-277.c',
'bug-361.c',
+ 'bug-40410.c',
'bug-431.c',
'bug-448.c',
'bug-51910.c',
More information about the cairo-commit
mailing list