[cairo] Toy font face race condition / heap corruption?

Paul Messmer paulmessmer at hotmail.com
Mon Jan 26 10:26:11 PST 2009



> From: chris at chris-wilson.co.uk
> 
> As I read it, the check on the reference count needs to be performed
> before we remove the entry from the hash table - but otherwise the
> analysis is spot on.

As long as the check on the reference count is performed AFTER
the hash table is locked and before the entry is removed, then it seems good (and this is almost certainly what you meant, but I wanted to clarify) and won't leave any orphaned objects like my suggestion.  In the existing code there's already a check (in the calling function) before the entry is removed and before the table is locked, yet there's a race because the reaching a reference count of 0 isn't atomic with entry removal.

Thanks,
-- Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.cairographics.org/archives/cairo/attachments/20090126/a6c665d3/attachment.html 


More information about the cairo mailing list