fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2025-12-31 18:20:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix a memory leak with cairo_tag_begin() + pdf

Browse source 
The error paths in _cairo_pdf_interchange_begin_dest_tag() do not clean
up and cause some memory to be leaked. Fix this by adding the necessary
free()s.

The first hunk, the missing free(dest) was found by oss-fuzz (see link
below).

The second hunk is an obvious follow up. It also cleans up the memory
allocated by _cairo_tag_parse_dest_attributes().

The cleanup in the second hunk is similar to the function
_named_dest_pluck() in the same function, but that function also removes
the entry from a hash table.  The error case here is that exactly this
hash table insertion failed.  Thus, the code cannot simply use the
already existing function.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30880
Signed-off-by: Uli Schlachter <psychon@znc.in>
This commit is contained in:
Uli Schlachter 2021-02-13 10:00:42 +01:00
parent 38a5c60368
commit ac616c270d
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/cairo-pdf-interchange.c
View file

@ -1134,13 +1134,20 @@ _cairo_pdf_interchange_begin_dest_tag (cairo_pdf_surface_t *surface,
status = _cairo_tag_parse_dest_attributes (attributes, &dest->attrs);
if (unlikely (status))
{
free (dest);
return status;
}
dest->page = _cairo_array_num_elements (&surface->pages);
init_named_dest_key (dest);
status = _cairo_hash_table_insert (ic->named_dests, &dest->base);
if (unlikely (status))
{
free (dest->attrs.name);
free (dest);
return status;
}
_cairo_tag_stack_set_top_data (&ic->analysis_tag_stack, dest);
cairo_list_add_tail (&dest->extents.link, &ic->extents_list);