ps: Fix crash in self-copy-overlap

According to valgrind, there is a use-after-free here. The function _cairo_ps_surface_emit_surface() temporarily replaces some member of a struct and then later re-sets it. However, there is an early return possible that would skip that part of the code. This commit moves the re-set up so that no freed pointers are left behind. This seems to fix the crash. Signed-off-by: Uli Schlachter <psychon@znc.in>
2025-12-20 04:40:07 +01:00 · 2021-08-15 18:26:53 +02:00 · 2021-08-15 18:26:53 +02:00 · a2d05a0c34
commit a2d05a0c34
parent c1aaaff880
3 changed files with 3 additions and 1 deletions
--- a/.gitlab-ci/ignore-ps2-argb32.txt
+++ b/.gitlab-ci/ignore-ps2-argb32.txt
@ -161,6 +161,7 @@ rounded-rectangle-fill
 rounded-rectangle-stroke
 scale-offset-image
 scale-offset-similar
+self-copy-overlap
 stroke-ctm-caps
 stroke-clipped
 stroke-image
--- a/.gitlab-ci/ignore-ps3-argb32.txt
+++ b/.gitlab-ci/ignore-ps3-argb32.txt
@ -172,6 +172,7 @@ rounded-rectangle-fill
 rounded-rectangle-stroke
 scale-offset-image
 scale-offset-similar
+self-copy-overlap
 stroke-ctm-caps
 stroke-clipped
 stroke-image
--- a/src/cairo-ps-surface.c
+++ b/src/cairo-ps-surface.c
@ -3713,11 +3713,11 @@ _cairo_ps_surface_emit_surface (cairo_ps_surface_t          *surface,

 	status = _cairo_memory_stream_destroy (surface->stream, &data, &length);
 	free (data);
+	surface->stream = old_stream;
 	if (unlikely (status))
 	    return status;

 	params->approx_size = length;
-	surface->stream = old_stream;
 	_cairo_pdf_operators_set_stream (&surface->pdf_operators,
 					 surface->stream);
    }