From d7cb417e0edde2756ec9f19ca1eb99fd33133cd0 Mon Sep 17 00:00:00 2001
From: Feysh INC <opensource@feysh.com>
Date: Fri, 22 Apr 2022 21:24:09 +0800
Subject: [PATCH] Fix a use after free in
 _cairo_svg_surface_create_for_stream_internal

When `_cairo_svg_surface_create_for_document()` failed, it will free the
`document` by `_cairo_svg_document_destroy()`. But after `_cairo_svg_surface_create_for_document` return a error status, the `document` is still used and destoryed by `_cairo_svg_document_destroy()`.

We remove the redundant `_cairo_svg_document_destroy()` in `_cairo_svg_surface_create_for_stream_internal` to avoid this bug.

This fixes #561.

Signed-off-by: Feysh INC <opensource@feysh.com>
---
 src/cairo-svg-surface.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/cairo-svg-surface.c b/src/cairo-svg-surface.c
index c6d9382b3..dfb72b2ad 100644
--- a/src/cairo-svg-surface.c
+++ b/src/cairo-svg-surface.c
@@ -1142,7 +1142,6 @@ _cairo_svg_surface_create_for_stream_internal (cairo_output_stream_t	*stream,
     surface = _cairo_svg_surface_create_for_document (document, CAIRO_CONTENT_COLOR_ALPHA,
 						      width, height, TRUE);
     if (surface->status) {
-	status = _cairo_svg_document_destroy (document);
 	return surface;
     }