fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-01-17 04:50:23 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix a use after free in _cairo_svg_surface_create_for_stream_internal

Browse source 
When `_cairo_svg_surface_create_for_document()` failed, it will free the
`document` by `_cairo_svg_document_destroy()`. But after `_cairo_svg_surface_create_for_document` return a error status, the `document` is still used and destoryed by `_cairo_svg_document_destroy()`.

We remove the redundant `_cairo_svg_document_destroy()` in `_cairo_svg_surface_create_for_stream_internal` to avoid this bug.

This fixes #561.

Signed-off-by: Feysh INC <opensource@feysh.com>
This commit is contained in:
Feysh INC 2022-04-22 21:24:09 +08:00
parent a934fa66db
commit d7cb417e0e
1 changed files with 0 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/cairo-svg-surface.c
View file

@ -1142,7 +1142,6 @@ _cairo_svg_surface_create_for_stream_internal (cairo_output_stream_t *stream,
surface = _cairo_svg_surface_create_for_document (document, CAIRO_CONTENT_COLOR_ALPHA,
width, height, TRUE);
if (surface->status) {
status = _cairo_svg_document_destroy (document);
return surface;
}