From b94bf30f03913944f0ae83bdd53f48f265e0f26f Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Sat, 24 Jan 2026 11:37:50 +0100 Subject: [PATCH] _cairo_pdf_surface_finish: Fix leak in error conditions Make sure surface->object_stream.stream is cleaned up even if things failed In poppler oss-fuzz tests we are getting this leak reported Direct leak of 64 byte(s) in 1 object(s) allocated from: #0 0x5747417eabd9 in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:74:3 #1 0x574742706f5b in _cairo_memory_stream_create cairo/src/cairo-output-stream.c:741:14 #2 0x5747426757b8 in _cairo_pdf_surface_open_object_stream cairo/src/cairo-pdf-surface.c:2307:34 #3 0x57474266b880 in _cairo_pdf_surface_finish cairo/src/cairo-pdf-surface.c:2700:14 #4 0x57474261afc6 in _cairo_surface_finish cairo/src/cairo-surface.c:1043:11 #5 0x57474261afc6 in cairo_surface_finish cairo/src/cairo-surface.c:1092:5 #6 0x57474270808a in _cairo_paginated_surface_finish cairo/src/cairo-paginated-surface.c:215:2 #7 0x5747426175c2 in _cairo_surface_finish cairo/src/cairo-surface.c:1043:11 #8 0x5747426175c2 in cairo_surface_destroy cairo/src/cairo-surface.c:978:2 This fixes it. _cairo_pdf_surface_finish was succeeding past _cairo_pdf_surface_open_object_stream that allocates surface->object_stream.stream, failing when calling _cairo_pdf_surface_emit_font_subsets and that memory was never freed --- src/cairo-pdf-surface.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/cairo-pdf-surface.c b/src/cairo-pdf-surface.c index 3e734c759..5c57973bc 100644 --- a/src/cairo-pdf-surface.c +++ b/src/cairo-pdf-surface.c @@ -2793,6 +2793,11 @@ _cairo_pdf_surface_finish (void *abstract_surface) if (status == CAIRO_STATUS_SUCCESS) status = status2; } + if (surface->object_stream.stream != NULL) { + status2 = _cairo_output_stream_destroy (surface->object_stream.stream); + if (status == CAIRO_STATUS_SUCCESS) + status = status2; + } if (surface->pdf_stream.active) surface->output = surface->pdf_stream.old_output; if (surface->group_stream.active)