To avoid any possibility of uninitialized memory.
The exceptions are:
- where the allocation is immediately overwritten by a memcpy or struct copy.
- arrays of structs to avoid any performance impact (except when the
array is returned by the public API).
I added options->variations = strdup("slnt=0,wght=400,wdth=100"); to the
end of _cairo_font_options_init_default(). This makes all font option
objects own some memory that needs to be freed. Then I ran some random
test under valgrind and found memory leaks.
This commit makes the script surface finish the font options that it
contains. This fixes the following valgrind report:
25 bytes in 1 blocks are definitely lost in loss record 8 of 21
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4ECBC99: strdup (strdup.c:42)
by 0x4886B7F: _cairo_font_options_init_default (cairo-font-options.c:86)
by 0x49768F4: _cairo_script_implicit_context_init (cairo-script-surface.c:3676)
by 0x4976B22: _cairo_script_surface_create_internal (cairo-script-surface.c:3733)
by 0x4976EA1: cairo_script_surface_create (cairo-script-surface.c:3962)
by 0x1B0A97: _cairo_boilerplate_script_create_surface (cairo-boilerplate-script.c:63)
by 0x129B7F: cairo_test_for_target (cairo-test.c:824)
by 0x12B37F: _cairo_test_context_run_for_target (cairo-test.c:1545)
by 0x12C385: _cairo_test_runner_draw (cairo-test-runner.c:258)
by 0x12DEB5: main (cairo-test-runner.c:962)
Signed-off-by: Uli Schlachter <psychon@znc.in>
The original "slim" symbol rewriting was added without any shred of a
set of performance evaluation, and mostly copy-pasted from a very early
version of pixman. Pixman itself never used them, and most C
libraries—like GLib and GTK—have dropped similar mechanisms over the
past 15 years, as linkers have improved considerably in the meantime.
Modern linkers provide functionality to avoid intra-library PLT jump
through flags like `-Bsymbolic-functions`; we should use that, instead,
and keep the code base more maintainable and debuggable.
The problem is _cairo_recording_surface_replay_and_create_regions()
stores the cairo_recording_region_type_t in the same structure as the
recording commands. This does not work well when the recording surface
is used as source by multiple surfaces
Fix this by moving the cairo_recording_region_type_t into a separate
struct cairo_recording_regions_array_t. This struct is stored in a
list that allows multiple create regions results to be store in the
surface.
The new function _cairo_recording_surface_region_array_attach() is
used to create a new cairo_recording_regions_array_t, attach it to the
recording surface and return a unique region id.
The _cairo_recording_surface_replay_and_create_regions() and
_cairo_recording_surface_replay_region() functions use this region id
to identify the cairo_recording_regions_array_t.
To handle nested recording surfaces, when replaying a recording, the
region id is passed to the target as an extra parameter in the surface
pattern. The wrapper surface makes a temporary copy of the pattern to
ensure the snapshot pattern in the recording surface is not modified.
cairo_recording_regions_array_t has a reference count so the target
can hold on to the cairo_recording_regions_array_t after the paginated
surface has called _cairo_recording_surface_region_array_remove().
In !309 Taylor R Campbell found a number of instances of ctype
incorrectly passed a signed char. In many cases, where only ASCII
characters are used, the code should have been using the cairo version
of the ctype function to avoid locale issues.
Before this commit, calling cairo_device_finish() on a cairo-script
context did not actually do anything in the backend. Thus, it was
possible to continue emitting output on the script context even after it
was finished, which means that API user had no way of preventing
use-after-free bugs in their write callback. Bug 277 triggers this via
detaching a snapshot, but I guess one could also simply continue drawing
to a script surface.
This commit implements the finish function by closing the underlying
stream.
However, that was not enough to fix things. This commit also turns
writing into a stream into a no-op after the stream was closed.
I checked that the new test case actually fails before this commit and
is indeed fixed by it.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/277
Signed-off-by: Uli Schlachter <psychon@znc.in>
cairo-script has a special case for drawing a set of rectangles. The
rectangle detection can trip over a "degenerate rectangle": Just a
horizontal line. It detects the line as the beginning of a rectangle and
then claims CAIRO_STATUS_INVALID_PATH_DATA when the other sides of the
rectangle are missing.
This commit simply changes the return value to
CAIRO_INT_STATUS_UNSUPPORTED to trigger a fallback to the generate case.
Test case is a straight-forward adaption from the original bug report.
Signed-off-by: Uli Schlachter <psychon@znc.in>
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/535
COLR fonts can have a layer with the same color as the current text
color. This change passes the current color (if solid) through to
the font backend where it can be used to render color fonts.
scaled_glyph_lookup checks if the foreground color has changed (for
glyph that require it) and requests a new color surface if required.
This also fixes a bug where scaled_glyph_lookup would always request a
color surface for glyphs for glyphs in color fonts that do not have
color.
On 64-bit windows, long is 32-bit. When compiling there are a large
number of warnings about mismatched sizes when casting long to/from a
pointer.
Use the (u)intptr_t type for any integer that will have a pointer stored
in it. Use a (u)intptr_t cast when integers are stored in pointers to
silence warnings.
Fixes#263
Found via `codespell -i 3 -w -I ../cairo-word-whitelist.txt -L tim,ned,uint`
Follow up of 12cb59be7d
Reviewed-by: Bryce Harrington <bryce@bryceharrington.org>
IGT wants to add support for planes with a bit depth >10, which
requires a higher precision format than we have currently.
I'm using RGBA as format, because of its existence in OpenGL.
With the new formats we can directly convert our bytes to half float,
or multiply a colro vector with a matrix to go to the Y'CbCr colorspace.
This requires pixman 0.36.0, so bump the version requirement.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Reviewed-by: Bryce Harrington <bryce@bryceharrington.org>
If the bitmap's min is non-zero, _bitmap_next_id() could break out of
its loop early, before initializing the prev variable. prev would then
be dereferenced without a null ptr check. This condition should never
occur in practice, so add an assert() to assure it doesn't.
Same issue is present in trace.c.
Coverity IDs: #1159557, #1159558
Reviewed-By: Uli Schlachter <psychon@znc.in>
Signed-off-by: Bryce Harrington <bryce@bryceharrington.org>
_cairo_malloc(0) always returns NULL, but has not been used
consistently. This patch replaces many calls to malloc() with
_cairo_malloc().
Fixes: fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Image data is often accessed using:
image->data + y * image->stride
On 64-bit achitectures if the image data is > 4GB, this computation
will overflow since both y and stride are 32-bit types.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=98165
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
In order to prevent a race between concurrent destroy and use in another
thread, we need to acquire a reference to the snapshot->target under a
mutex. Whilst we hold that reference, it prevents the internal destroy
mechanism from freeing the memory we are using (if we have a pointer to
the original surface) and the client drops their final reference.
Oh boy, talk about opening a can of worms...
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
The following Python script was used to compute "Since: 1.X" tags,
based on the first version where a symbol became officially supported.
This script requires a concatenation of the the cairo public headers
for the officially supported beckends to be available as
"../../includes/1.X.0.h".
from sys import argv
import re
syms = {}
def stripcomments(text):
def replacer(match):
s = match.group(0)
if s.startswith('/'):
return ""
else:
return s
pattern = re.compile(
r'//.*?$|/\*.*?\*/|\'(?:\\.|[^\\\'])*\'|"(?:\\.|[^\\"])*"',
re.DOTALL | re.MULTILINE
)
return re.sub(pattern, replacer, text)
for minor in range(12,-2,-2):
version = "1.%d" % minor
names = re.split('([A-Za-z0-9_]+)', stripcomments(open("../../includes/%s.0.h" % version).read()))
for s in names: syms[s] = version
for filename in argv[1:]:
is_public = False
lines = open(filename, "r").read().split("\n")
newlines = []
for i in range(len(lines)):
if lines[i] == "/**":
last_sym = lines[i+1][2:].strip().replace(":", "")
is_public = last_sym.lower().startswith("cairo")
elif is_public and lines[i] == " **/":
if last_sym in syms:
v = syms[last_sym]
if re.search("Since", newlines[-1]): newlines = newlines[:-1]
if newlines[-1].strip() != "*": newlines.append(" *")
newlines.append(" * Since: %s" % v)
else:
print "%s (%d): Cannot determine the version in which '%s' was introduced" % (filename, i, last_sym)
newlines.append(lines[i])
out = open(filename, "w")
out.write("\n".join(newlines))
out.close()
Documentation comments should always start with "/**" and end with
"**/". This is not required by gtk-doc, but it makes the
documentations formatting more consistent and simplifies the checking
of documentation comments.
The following Python script tries to enforce this.
from sys import argv
from sre import search
for filename in argv[1:]:
in_doc = False
lines = open(filename, "r").read().split("\n")
for i in range(len(lines)):
ls = lines[i].strip()
if ls == "/**":
in_doc = True
elif in_doc and ls == "*/":
lines[i] = " **/"
if ls.endswith("*/"):
in_doc = False
out = open(filename, "w")
out.write("\n".join(lines))
out.close()
This fixes most 'documentation comment not closed with **/' warnings
by check-doc-syntax.awk.
As discussed, overloading the cairo_surface_t semantics to include
sources (i.e. read-only surfaces) was duplicating the definition of
cairo_pattern_t. So rather than introduce a new surface type with
pattern semantics, start along the thorny road of extensible pattern
types.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Having spent the last dev cycle looking at how we could specialize the
compositors for various backends, we once again look for the
commonalities in order to reduce the duplication. In part this is
motivated by the idea that spans is a good interface for both the
existent GL backend and pixman, and so they deserve a dedicated
compositor. xcb/xlib target an identical rendering system and so they
should be using the same compositor, and it should be possible to run
that same compositor locally against pixman to generate reference tests.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
P.S. This brings massive upheaval (read breakage) I've tried delaying in
order to fix as many things as possible but now this one patch does far,
far, far too much. Apologies in advance for breaking your favourite
backend, but trust me in that the end result will be much better. :)
The existing API only described the method to be used for performing
rasterisation and unlike other API provided no opportunity for the user
to give a hint as to how to trade off performance against speed. So in
order to no be overly prescriptive, we extend the NONE/GRAY/SUBPIXEL
methods with FAST/GOOD/BEST hints and leave the backend to decide how
best to achieve those goals.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
The immediate use of this is to print out the slowest operation of each
type in a replayable manner. A continuing demonstration of how we may
analyse traces...
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
So that we remember to forget the old image when the surface is dirtied.
Fixes filter-bilinear-extents.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
If a function expects a surface but receives a context, it automatically
queries the context's target. We can take advantage of this to short-cut
a few operations.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Ouch, a nasty bug surfaces after rearranging code to fix the others.
Another self-copy loop this time through a subsurface of a recording
surface.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
