From a2d05a0c344e7a0239e4a95332d6b364a3c852e2 Mon Sep 17 00:00:00 2001 From: Uli Schlachter Date: Sun, 15 Aug 2021 18:26:53 +0200 Subject: [PATCH] ps: Fix crash in self-copy-overlap According to valgrind, there is a use-after-free here. The function _cairo_ps_surface_emit_surface() temporarily replaces some member of a struct and then later re-sets it. However, there is an early return possible that would skip that part of the code. This commit moves the re-set up so that no freed pointers are left behind. This seems to fix the crash. Signed-off-by: Uli Schlachter --- .gitlab-ci/ignore-ps2-argb32.txt | 1 + .gitlab-ci/ignore-ps3-argb32.txt | 1 + src/cairo-ps-surface.c | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci/ignore-ps2-argb32.txt b/.gitlab-ci/ignore-ps2-argb32.txt index a2eb631e0..75c599fc4 100644 --- a/.gitlab-ci/ignore-ps2-argb32.txt +++ b/.gitlab-ci/ignore-ps2-argb32.txt @@ -161,6 +161,7 @@ rounded-rectangle-fill rounded-rectangle-stroke scale-offset-image scale-offset-similar +self-copy-overlap stroke-ctm-caps stroke-clipped stroke-image diff --git a/.gitlab-ci/ignore-ps3-argb32.txt b/.gitlab-ci/ignore-ps3-argb32.txt index ee227c8f7..9e433d5c3 100644 --- a/.gitlab-ci/ignore-ps3-argb32.txt +++ b/.gitlab-ci/ignore-ps3-argb32.txt @@ -172,6 +172,7 @@ rounded-rectangle-fill rounded-rectangle-stroke scale-offset-image scale-offset-similar +self-copy-overlap stroke-ctm-caps stroke-clipped stroke-image diff --git a/src/cairo-ps-surface.c b/src/cairo-ps-surface.c index 5645aae4a..343a5ea05 100644 --- a/src/cairo-ps-surface.c +++ b/src/cairo-ps-surface.c @@ -3713,11 +3713,11 @@ _cairo_ps_surface_emit_surface (cairo_ps_surface_t *surface, status = _cairo_memory_stream_destroy (surface->stream, &data, &length); free (data); + surface->stream = old_stream; if (unlikely (status)) return status; params->approx_size = length; - surface->stream = old_stream; _cairo_pdf_operators_set_stream (&surface->pdf_operators, surface->stream); }