fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2025-12-20 05:50:10 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

script: Implement device finish

Browse source 
Before this commit, calling cairo_device_finish() on a cairo-script
context did not actually do anything in the backend. Thus, it was
possible to continue emitting output on the script context even after it
was finished, which means that API user had no way of preventing
use-after-free bugs in their write callback. Bug 277 triggers this via
detaching a snapshot, but I guess one could also simply continue drawing
to a script surface.

This commit implements the finish function by closing the underlying
stream.

However, that was not enough to fix things. This commit also turns
writing into a stream into a no-op after the stream was closed.

I checked that the new test case actually fails before this commit and
is indeed fixed by it.

Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/277
Signed-off-by: Uli Schlachter <psychon@znc.in>
This commit is contained in:
Uli Schlachter 2022-03-02 16:13:28 +01:00
parent 1fee5ac985
commit 6a81bf8201
5 changed files with 113 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/cairo-output-stream.c
View file

@ -259,11 +259,13 @@ void
_cairo_output_stream_write (cairo_output_stream_t *stream, _cairo_output_stream_write (cairo_output_stream_t *stream,
const void *data, size_t length) const void *data, size_t length)
{ {
if (length == 0) if (length == 0 || stream->status)
return; return;
if (stream->status) if (stream->closed) {
stream->status = CAIRO_STATUS_WRITE_ERROR;
return; return;
}
stream->status = stream->write_func (stream, data, length); stream->status = stream->write_func (stream, data, length);
stream->position += length; stream->position += length;
@ -278,9 +280,6 @@ _cairo_output_stream_write_hex_string (cairo_output_stream_t *stream,
char buffer[2]; char buffer[2];
unsigned int i, column; unsigned int i, column;
if (stream->status)
return;
for (i = 0, column = 0; i < length; i++, column++) { for (i = 0, column = 0; i < length; i++, column++) {
if (column == 38) { if (column == 38) {
_cairo_output_stream_write (stream, "\n", 1); _cairo_output_stream_write (stream, "\n", 1);
@ -407,9 +406,6 @@ _cairo_output_stream_vprintf (cairo_output_stream_t *stream,
int length_modifier, width; int length_modifier, width;
cairo_bool_t var_width; cairo_bool_t var_width;
if (stream->status)
return;
f = fmt; f = fmt;
p = buffer; p = buffer;
while (*f != '\0') { while (*f != '\0') {
@ -786,9 +782,6 @@ _cairo_memory_stream_copy (cairo_output_stream_t *base,
{ {
memory_stream_t *stream = (memory_stream_t *) base; memory_stream_t *stream = (memory_stream_t *) base;
if (dest->status)
return;
if (base->status) { if (base->status) {
dest->status = base->status; dest->status = base->status;
return; return;

12
src/cairo-script-surface.c
View file

@ -2112,6 +2112,16 @@ _device_flush (void *abstract_device)
return _cairo_output_stream_flush (ctx->stream); return _cairo_output_stream_flush (ctx->stream);
} }
static void
_device_finish (void *abstract_device)
{
cairo_script_context_t *ctx = abstract_device;
cairo_status_t status = _cairo_output_stream_close (ctx->stream);
status = _cairo_device_set_error (&ctx->base, status);
(void) status;
}
static void static void
_device_destroy (void *abstract_device) _device_destroy (void *abstract_device)
{ {
@ -3731,7 +3741,7 @@ static const cairo_device_backend_t _cairo_script_device_backend = {
NULL, NULL, /* lock, unlock */ NULL, NULL, /* lock, unlock */
_device_flush, /* flush */ _device_flush, /* flush */
NULL, /* finish */ _device_finish, /* finish */
_device_destroy _device_destroy
}; };

3
test/Makefile.sources
View file

@ -24,8 +24,9 @@ test_sources = \
bug-spline.c \ bug-spline.c \
big-trap.c \ big-trap.c \
bilevel-image.c \ bilevel-image.c \
bug-40410.c \ bug-277.c \
bug-361.c \ bug-361.c \
bug-40410.c \
bug-431.c \ bug-431.c \
bug-448.c \ bug-448.c \
bug-51910.c \ bug-51910.c \

94
test/bug-277.c Normal file
View file

@ -0,0 +1,94 @@
/*
* Copyright © 2022 Uli Schlachter
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* Author: Uli Schlachter <psychon@znc.in>
*/
#include "cairo-test.h"
#include "cairo-script.h"
struct write_data {
cairo_bool_t finished;
cairo_test_status_t test_status;
};
static cairo_surface_t*
create_recording_surface ()
{
/* Create a non-empty recording surface with arbitrary content */
cairo_surface_t *surf = cairo_recording_surface_create (CAIRO_CONTENT_COLOR, NULL);
cairo_t *cr = cairo_create (surf);
cairo_move_to (cr, 0, 0);
cairo_line_to (cr, 10, 0);
cairo_stroke (cr);
cairo_destroy (cr);
return surf;
}
static cairo_status_t
write_func(void *closure, const unsigned char* bytes, unsigned int length)
{
struct write_data *data = closure;
(void) bytes; (void) length;
if (data->finished)
data->test_status = CAIRO_TEST_ERROR;
return CAIRO_STATUS_SUCCESS;
}
static cairo_test_status_t
preamble (cairo_test_context_t *ctx)
{
struct write_data write_data = { FALSE, CAIRO_TEST_SUCCESS };
cairo_device_t *script_device = cairo_script_create_for_stream (write_func, &write_data);
cairo_surface_t *recording = create_recording_surface ();
cairo_surface_t *script;
cairo_t *cr;
/* Draw the recording surface to a script surface */
script = cairo_script_surface_create (script_device, CAIRO_CONTENT_COLOR, 5, 5);
cr = cairo_test_create (script, ctx);
cairo_set_source_surface (cr, recording, 0, 0);
cairo_paint (cr);
cairo_destroy (cr);
cairo_surface_destroy (script);
/* Finish the script device; no further writing allowed afterwards */
cairo_device_finish (script_device);
write_data.finished = TRUE;
cairo_device_destroy (script_device);
cairo_surface_destroy (recording);
return write_data.test_status;
}
CAIRO_TEST (bug_277,
"Regression test: Script surface emitting test after finish()",
NULL, /* keywords */
NULL, /* requirements */
0, 0,
preamble, NULL)

3
test/meson.build
View file

@ -24,8 +24,9 @@ test_sources = [
'bug-spline.c', 'bug-spline.c',
'big-trap.c', 'big-trap.c',
'bilevel-image.c', 'bilevel-image.c',
'bug-40410.c', 'bug-277.c',
'bug-361.c', 'bug-361.c',
'bug-40410.c',
'bug-431.c', 'bug-431.c',
'bug-448.c', 'bug-448.c',
'bug-51910.c', 'bug-51910.c',