From 10110d58cee179cded8e4c4ff8a8d02c477585bd Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Sat, 2 Feb 2013 08:47:26 +0000
Subject: [PATCH] surface: Prevent reads from the user-data arrays during
 teardown

In a similar fashion to the previous commit, we also need to be wary of
users simply trying to read from a potentially freed user-data array.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/cairo-surface.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index 5ec659e01..5c6969c8a 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -1096,6 +1096,10 @@ void *
 cairo_surface_get_user_data (cairo_surface_t		 *surface,
 			     const cairo_user_data_key_t *key)
 {
+    /* Prevent reads of the array during teardown */
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
+	return NULL;
+
     return _cairo_user_data_array_get_data (&surface->user_data, key);
 }
 
@@ -1157,7 +1161,9 @@ cairo_surface_get_mime_data (cairo_surface_t		*surface,
 
     *data = NULL;
     *length = 0;
-    if (unlikely (surface->status))
+
+    /* Prevent reads of the array during teardown */
+    if (! CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count))
 	return;
 
     /* The number of mime-types attached to a surface is usually small,