The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444
Signed-off-by: Uli Schlachter <psychon@znc.in>
The code here temporary replaces extents->clip with another clip to call
a function. Afterwards, it restores the previous copy. The temporary
clip is only freed when it still is pointed to by extents->clip.
This logic is wrong. It is indeed possible that the clip is simplified
and changes. In this case, the original clip is also correctly freed.
However, this still means that we have to clean up and destroy the new
clip. The previous code just leaked it.
This was originally identified by Massimo in [1]. I am just committing
his patch.
[1]: https://bugs.freedesktop.org/show_bug.cgi?id=91267
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/24
Signed-off-by: Uli Schlachter <psychon@znc.in>
This gets rid of the following two leaks reported by valgrind when successfully
running a test with CAIRO_TEST_TARGET=xcb:
8,000 bytes in 2 blocks are definitely lost in loss record 9 of 10
at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B7E135: read_packet (xcb_in.c:259)
by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
by 0x4B7D8C8: xcb_request_check (xcb_in.c:745)
by 0x18D747: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:310)
by 0x12906F: cairo_test_for_target (cairo-test.c:819)
by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
by 0x126921: main (cairo-test-runner.c:932)
8,000 bytes in 2 blocks are definitely lost in loss record 10 of 10
at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B7E135: read_packet (xcb_in.c:259)
by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
by 0x4B7D7C0: xcb_wait_for_reply (xcb_in.c:546)
by 0x18D45D: find_depth (cairo-boilerplate-xcb.c:154)
by 0x18D45D: _cairo_boilerplate_xcb_create_render_0_0 (cairo-boilerplate-xcb.c:621)
by 0x12906F: cairo_test_for_target (cairo-test.c:819)
by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
by 0x126921: main (cairo-test-runner.c:932)
Signed-off-by: Uli Schlachter <psychon@znc.in>
Before this commit, running the test suite against a non-existing
display under valgrind resulted in:
$ ( cd test; DISPLAY=:2 CAIRO_TEST_TARGET=xcb valgrind --leak-check=full .libs/cairo-test-suite -f random-clip )
[...]
==47359== 64 bytes in 2 blocks are definitely lost in loss record 1 of 7
==47359== at 0x483AB65: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==47359== by 0x18A272: cairo_boilerplate_xcalloc (cairo-boilerplate-system.c:65)
==47359== by 0x18D652: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:269)
==47359== by 0x12906F: cairo_test_for_target (cairo-test.c:819)
==47359== by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
==47359== by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
==47359== by 0x126921: main (cairo-test-runner.c:932)
This commit fixes that by freeing the allocated memory in the error
path.
Signed-off-by: Uli Schlachter <psychon@znc.in>
Since we now copy the data that CGImage needs we don't need to
keep the surface around anymore, nor release it or the image in the
DataProviderReleaseCallback.
This fixes a typo wherein both a return character and a tab character
were encoded when only a return character was specified for encoding.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
StemSnapH and StemSnapV have operands of type delta which can be
a number or an array of delta-encoded numbers. This array can be
empty according to freetype developers.
This commit checks whether current operator is among those listed
and permits empty operand in such case.
Fix how offset, scale and transparency are handled.
Also do the same change in the "win32-printing" backend as it has a copy of the code from PDS, PS and SVG backends.
That way when other projects consume our declared dep, they get
transitive dependencies too based on what features cairo was built
with. Without this, projects that build cairo as a subproject and also
build, say, fontconfig as a subproject will fail to find cairo-ft.h
(etc).
Same as autotools does. Arguably it would be better to do
it the other way round and generate cairo-version.h from
the version in meson.build or configure.ac but for now
let's do this so it's at least in sync with the autotools
build and only one file has to be edited for releases.
cairo-ft.h includes fontconfig.h when CAIRO_HAS_FC_FONT is defined, so
it must appear in the pc file and the corresponding
declare_dependency(). This fix build issue in harfbuzz when cairo and
fontconfig are built as subproject.
trace-to-xml.c needs cairo-xml.h which is only available when
CAIRO_HAS_XML_SURFACE feature is built which is only available when both
zlib and png are found. CAIRO_HAS_INTERPRETER only requires zlib.
It was originally added to make bisecting easier,
but has outlived its usefuleness now.
Going forward we'll have just a single cairo-version.h
header file, the one with the real version numbers.
This is needed to fix the case where cairo is being
built as a Meson subproject, but also simplifies
things in general.
Fixes#421
rework the whole CI setup to take advantage of citemplates
for building managing the docker images.
also add a meson build job and rework the ccache config to be
shared across autotools and meson. The jobs will not share ccache
artifacts though.
https://who-t.blogspot.com/2020/03/its-templates-all-way-down.html
.. such as config.h or other generated files such as cairo-features.h,
as those might be accidentally included by the meson build and cause
weird to debug build issues.
Fixes#423
Including sys/poll.h when poll.h is available produces a compile
warning on some systems, but only sys/poll.h is present on others
such as AIX. This makes sure the most suitable poll.h is included
in each situation.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
