[cairo] [PATCH] win32: Attempt to solve a nasty use-after-free by the caller of clone_similar()
Chris Wilson
chris at chris-wilson.co.uk
Thu Feb 26 07:54:31 PST 2009
On Thu, 2009-02-26 at 09:51 -0500, Owen Taylor wrote:
> acquire_source_image is not designed to give you a surface that you can
> keep around persistently. That's why there's a special release()
> function and the image_extra argument... if you could just ref the image
> and keep it around, then cairo_surface_destroy() would have been
> sufficient.
>
> It's meant to be locally scoped, and since the parent surface has to be
> passed in to release(), we know it is around for the entire scope.
At issue is _cairo_surface_clone_similar(), in particular:
/* If we failed, try again with an image surface */
status = _cairo_surface_acquire_source_image (src, &image, &image_extra);
if (status == CAIRO_STATUS_SUCCESS) {
status = surface->backend->clone_similar (surface, &image->base,
src_x, src_y,
width, height,
clone_offset_x,
clone_offset_y,
clone_out);
_cairo_surface_release_source_image (src, image, image_extra);
}
The situation here is that clone_out is just a reference to the image
surface that we have just released. But remember that this is still
internal API and the clone is scoped by the composite operation being
performed.
-ickle
More information about the cairo
mailing list