From bf3202fcfd281be3fa62c2d6719377a8f2a0dec4 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Thu, 16 Oct 2008 12:33:22 +0100
Subject: [PATCH] [xlib] Fix double free of Pixmap along error path.

If the paint fails then we attempt to free the Pixmap ourselves and via
the cairo_surface_destroy (as it also believes that it owns the Pixmap).
---
 src/cairo-xlib-surface.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c
index 0d80536dc..8d6710660 100644
--- a/src/cairo-xlib-surface.c
+++ b/src/cairo-xlib-surface.c
@@ -1288,9 +1288,10 @@ _cairo_xlib_surface_create_solid_pattern_surface (void                  *abstrac
     status = surface->base.status;
     if (status)
 	goto BAIL;
-    surface->owns_pixmap = TRUE;
 
-    status = _cairo_surface_paint (&image->base, CAIRO_OPERATOR_SOURCE, &solid_pattern->base);
+    status = _cairo_surface_paint (&image->base,
+				   CAIRO_OPERATOR_SOURCE,
+				   &solid_pattern->base);
     if (status)
 	goto BAIL;
 
@@ -1305,13 +1306,16 @@ _cairo_xlib_surface_create_solid_pattern_surface (void                  *abstrac
   BAIL:
     cairo_surface_destroy (&image->base);
 
-    if (status && surface) {
-	XFreePixmap (other->dpy, pixmap);
+    if (status) {
+	if (pixmap != None)
+	    XFreePixmap (other->dpy, pixmap);
 	cairo_surface_destroy (&surface->base);
-	surface = NULL;
+
+	return _cairo_surface_create_in_error (status);
     }
 
-    return (cairo_surface_t *) surface;
+    surface->owns_pixmap = TRUE;
+    return &surface->base;
 }
 
 static cairo_status_t