_cairo_pattern_fini depends on the pattern being correctly initialised,
for example when calling _cairo_user_data_array_fini(), so we need to
initialize the whole pattern and not just set the type to SOLID when
creating a pattern for a surface in error.
The image surface that _cairo_quartz_surface_acquire_source_image creates never
seems to be released, probably because there is no release_source_image callback
in the quartz code.
The attached patch fixes that problem, at least insofar as the image surface
itself is no longer leaking. I'm not sure whether any other cleanup needs to
happen here.
-Boris
Previously if the backend finish() function returned an error status,
surface->finished was not set true. This would result in the backend
finish() function being called twice which in the case of the PostScript
backend caused a seg fault.
_cairo_pdf_surface_emit_pattern_stops() tried to set the last element
to have an offset of exactly 1.0, but missed and set the next element
after the end of the array.
cairo_surface_create_similar() does not return NULL as was being checked
for, but the nil surface on error. Also ensure that the returned surface
is destroyed if we encounter an error whilst compositing.
Growing the arrays may successfully allocate the indirect pointer, but
fail whilst allocating the actual array - so always call
_cairo_array_fini after _cairo_array_grow_by().
If we fail to create the sub font destroy the local reference to the
parent font and if we fail to insert the sub font into the hash table,
destroy the newly create sub font.
Small window of opportunity for the unscaled font to be destroyed and
removed from the hash table before
_cairo_ft_unscaled_font_create_for_pattern() takes a reference on behalf
of its cairo. Close the window by taking the reference with the font
map lock held.
The status return from _cairo_xlib_screen_put_gc() indicates the failure
to queue a job to free an old GC - the current GC is always transferred
away from the caller, so always nullify it in the surface.
Return the nil object if we encounter any error whilst trying to
generate the path.
Also special case the NO_MEMORY error object to return the nil object.
After consuming the GC we need to unset the clip reset flag, so that
if we try and get a new GC without first putting a fresh one we do not
try to call XSetClipMask on a NULL GC.
(Fixes http://bugs.freedesktop.org/show_bug.cgi?id=10921)
By dropping the top frame from suppression, the XrmGetFileDatabase
suppressions will also match XrmGetStringDatabase leaks which are
starting to occur.
_cairo_truetype_font_create() failed to update the status before
returning after detecting an allocation failure, leaving its callers
none the wishing - and eventually triggering a segmentation fault when
the font was used in anger.
Before attempting to access the cairo_meta_surface_t specific members,
we need to ensure that _cairo_meta_surface_replay() has received a true
meta surface rather than an error surface (e.g. _cairo_surface_nil).
Sun never released a version of Solaris with Xorg with the buggy repeat
problem. This patch was only needed for development versions of Solaris
Nevada (roughly builds 25-30). The latest S10U release and Nevada releases
have a fixed Xorg. So no users should ever encounter this bug.
We need to remove this test because Xsun has the same VendorString and a lower
VendorRelease number so it falsely triggers buggy_repeat to be turned on.
They just added Xrender support recently to Xsun, so this wasn't an issue
before recently.
cairo_scaled_font_create() returns a nil object on failure whereas a few
callers were checking for NULL.
Secondly review the public entry points for cairo_scaled_font_*() to
ensure that all check that they will not attempt to overwrite the
read-only nil object.
cairo_pop_group() checks for a NULL return from
cairo_pattern_create_for_surface() instead of the nil cairo_pattern_t,
and then returns a NULL pattern instead of the nil object.
During the copy, allocation of the gradient may fail and so the callers
need to check for a pattern that returned in an error state. No callers
did so and in order to force all callers to check the error status,
the status return was added to _cairo_pattern_init_copy(). The early
error checking may appear redundant for an object with an embedded
structure, however it does fix an error where an uninitialised pattern
was being used:
==1922== Process terminating with default action of signal 11 (SIGSEGV)
==1922== Access not within mapped region at address 0x55555555
==1922== at 0x402CF6F: _cairo_array_index (cairo-array.c:208)
==1922== by 0x402D4F3: _cairo_user_data_array_fini (cairo-array.c:370)
==1922== by 0x4046464: _cairo_pattern_fini (cairo-pattern.c:188)
==1922== by 0x404992A: _cairo_meta_surface_paint (cairo-meta-surface.c:266)
==1922== by 0x403FCE0: _cairo_surface_paint (cairo-surface.c:1331)
==1922== by 0x405CB5E: _test_meta_surface_paint (test-meta-surface.c:195)
==1922== by 0x403FCE0: _cairo_surface_paint (cairo-surface.c:1331)
==1922== by 0x4032A60: _cairo_gstate_paint (cairo-gstate.c:822)
==1922== by 0x402B2D1: cairo_paint (cairo.c:1879)
==1922== by 0x804A4F7: draw (radial-gradient.c:73)
==1922== by 0x804AFA4: cairo_test_expecting (cairo-test.c:326)
==1922== by 0x804A57C: main (radial-gradient.c:109)
==1922== Injected fault at:
==1922== at 0x4020EA5: malloc (vg_replace_malloc.c:207)
==1922== by 0x404475C: _cairo_pattern_init_copy (cairo-pattern.c:136)
==1922== by 0x403F779: _cairo_surface_copy_pattern_for_destination (cairo-surface.c:2153)
==1922== by 0x403FCC1: _cairo_surface_paint (cairo-surface.c:1328)
==1922== by 0x405CB5E: _test_meta_surface_paint (test-meta-surface.c:195)
==1922== by 0x403FCE0: _cairo_surface_paint (cairo-surface.c:1331)
==1922== by 0x4032A60: _cairo_gstate_paint (cairo-gstate.c:822)
==1922== by 0x402B2D1: cairo_paint (cairo.c:1879)
==1922== by 0x804A4F7: draw (radial-gradient.c:73)
==1922== by 0x804AFA4: cairo_test_expecting (cairo-test.c:326)
==1922== by 0x804A57C: main (radial-gradient.c:109)
