The expression &image_surface->base basically just casts the
cairo_image_surface_t* to cairo_surface_t*. However, technically it is a
NULL pointer dereference and UndefinedBehaviorSanitizer flags it as
such:
runtime error: member access within null pointer of type 'cairo_image_surface_t' (aka 'struct _cairo_image_surface')
This commit fixes this by adding a NULL check.
Signed-off-by: Uli Schlachter <psychon@znc.in>
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEpmEQCz2sHU8srYpU5gOyV4+48PsFAl/Cz0AaHGJyeWNlQGJy
eWNlaGFycmluZ3Rvbi5vcmcACgkQ5gOyV4+48PtUXxAAnYipgwpcIKWoSt4eP1o/
SPqeupY0AQUWB8y6xKoAhcBzt/HOQBqMxWo+zJSkIndJMRusezSmnt+qHY1bXGTX
pqyipyYfSUJnT6BB/iZvwcAPlW2ISLuI85qdW126nKX9jxCx1uTejogGzeLC2nLK
DucPZ1N7HU87GEc2mcl1aYkwTHp1f4jEQhRFExvCJg9YA3W+SgDQ2XEMEeewqljM
/AT7tL3yWFCv4OU5ci7qhUZPp9ZgWZ1vc+0zS1MgpVo7XwxUWL+NaCbhbVJoH6Dq
rwPE+RJOh1zkkatY/jZQYmW65gnqxed7lcUJ8XmRCUQiIQNvKzYApthj1EW4bxV4
yxz+O6OiHlnnf20IwqAirEeHOUHYwINHVTE/UZovB1pu983iPQztNH9wfSmhDkhj
MS+mNVyLJc4Jb/UQvLOkDVljuT2tmtOYytSeMb5z0D+EjBPDAnWZk9RV7UouK+nF
HjuXEC45NEPzD5H4G8R4HZXBlSbV/SuzyS0Ljor8GBSdAJ9Xf6pDojgNCXLzHgny
byD1j7jB5rqmGfy72IRUtLFqThroEiTaKXPNJ44P9lK/YdpBZfn99BmtLEUETNeM
enm8ex1CWYrzLlq5UwM/2FYLE6Tiy5AQOqGfcnQpuaEG4qKao5Za7hmUy3yWitfa
OK/2GwlDbHXfu/Ekg1kzzFk=
=jna2
-----END PGP SIGNATURE-----
Merge tag '1.17.4'
cairo 1.17.4 release
We are not quite sure what happened, but the 1.17.4 tag and the master
branch have different Git histories, but the same content. The merge
commits are missing from the history of the tag. This merge is simply
the result of "git merge 1.17.4".
This fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/446
Surfaces from _cairo_surface_create_in_error() have no backend. This
commit fixes a NULL pointer dereference in cairo_win32_surface_get_dc().
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/405
Signed-off-by: Uli Schlachter <psychon@znc.in>
In commit 10e58a4a I changed the code in cairo-surface.c to avoid
setting surface->is_clear = FALSE; in some situations where it was not
necessary, because the operation did not actually modify anything (it
returned CAIRO_INT_STATUS_NOTHING_TO_DO). However, that change
accidentally also caused _cairo_surface_paint() not to set
surface->is_clear = TRUE; in similar cases. That was unintended.
This commit fixes that by always setting is_clear = TRUE when necessary,
but keeps the optimisation of not setting is_clear = FALSE when not
necessary.
The connection to the below issue is that the issue happened with
surfaces with width=0. Clearing such a surface with CAIRO_OPERATOR_CLEAR
causes CAIRO_INT_STATUS_NOTHING_TO_DO and thus is_clear = TRUE was not
set. This error was later caught by a failed assertion.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/283
Signed-off-by: Uli Schlachter <psychon@znc.in>
An error in _cairo_surface_snapshot_copy_on_write() results in a
snapshot in an error state and the snapshot's ->target could now point
to a surface from _cairo_surface_create_in_error(). These surfaces e.g.
have ->backend == NULL. Thus, anything looking at ->backend->type now
explodes. This commit deals with two places which caused segfaults in
this situation.
There is no test case for this, because
_cairo_surface_snapshot_copy_on_write() really is not supposed to fail.
Found-while-investigating: https://gitlab.freedesktop.org/cairo/cairo/-/issues/448
Signed-off-by: Uli Schlachter <psychon@znc.in>
The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/451
Signed-off-by: Uli Schlachter <psychon@znc.in>
The code was copying from the wrong member of an union. This caused a
huge num_dashes value to be read, which then caused a so large memory
allocation that malloc returned an error.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/448
Signed-off-by: Uli Schlachter <psychon@znc.in>
The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.
The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.
No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/444
Signed-off-by: Uli Schlachter <psychon@znc.in>
The code here temporary replaces extents->clip with another clip to call
a function. Afterwards, it restores the previous copy. The temporary
clip is only freed when it still is pointed to by extents->clip.
This logic is wrong. It is indeed possible that the clip is simplified
and changes. In this case, the original clip is also correctly freed.
However, this still means that we have to clean up and destroy the new
clip. The previous code just leaked it.
This was originally identified by Massimo in [1]. I am just committing
his patch.
[1]: https://bugs.freedesktop.org/show_bug.cgi?id=91267
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/24
Signed-off-by: Uli Schlachter <psychon@znc.in>
Since we now copy the data that CGImage needs we don't need to
keep the surface around anymore, nor release it or the image in the
DataProviderReleaseCallback.
Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
StemSnapH and StemSnapV have operands of type delta which can be
a number or an array of delta-encoded numbers. This array can be
empty according to freetype developers.
This commit checks whether current operator is among those listed
and permits empty operand in such case.
Operators BlueValues, OtherBlues, FamilyBlues, FamilyOtherBlues,
StemSnapH and StemSnapV have operands of type delta which can be
a number or an array of delta-encoded numbers. This array can be
empty according to freetype developers.
This commit checks whether current operator is among those listed
and permits empty operand in such case.
That way when other projects consume our declared dep, they get
transitive dependencies too based on what features cairo was built
with. Without this, projects that build cairo as a subproject and also
build, say, fontconfig as a subproject will fail to find cairo-ft.h
(etc).
It was originally added to make bisecting easier,
but has outlived its usefuleness now.
Going forward we'll have just a single cairo-version.h
header file, the one with the real version numbers.
This is needed to fix the case where cairo is being
built as a Meson subproject, but also simplifies
things in general.
Fixes#421
'make check' currently fails with the following in src/test-suite.log
(how can one tell automake not to hide the error message in a file?!?):
FAIL: check-doc-syntax.sh
=========================
Checking documentation for incorrect syntax
./cairo-cogl-surface.c: * cairo_cogl_pipeline_ts. On failure, both pointers will be set to
./cairo-cogl-surface.c:/* Mostly taken from cairo_vg_surface.c */
Error: some function names in the docs are not followed by parentheses.
Fix this by searching for the following regexp in the above files:
'^[^:]*:[/ ][*]\(\|[ ].*\)\([^#']\|^\)\<\(cairo_[][<>/0-9a-z_]*\>[^][<>(]\)'
FAIL check-doc-syntax.sh (exit status: 1)
This commit silences that. The fix is likely not correct, but since
these are normal comments and not actual doc comments, it does not
matter much.
Signed-off-by: Uli Schlachter <psychon@znc.in>
This constitutes few fixes that are necessary to compile correctly
and reduce errors when using musl libc.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This removes code that uses the cogl-path library, which was not
used except when manually modifying a preprocessor flag. It could
not use path caching, was slightly broken, and all of its
functionality was provided better by different code paths.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This redesigns the path cache so that it does not mess with the
context functions, thereby hopefully making it much more resilient
to changes in the rest of cairo that change the way the default
context works. It is also much simpler, and it is anticipated that
it will be more maintainable. Performance in contrast to the old
cache design speeds up most traces in cairo-perf-trace, and slows
down only a lesser few by <20%.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This adds very basic path-based font support to the cogl backend,
improving cairo-perf-trace performance by 6x or more on many traces.
This still is not the most desirable form of font support, which
would resemble the texture-based glyph caching in the gl backend or
use cogl-pango to automatically cache glyphs.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This makes it so that RGB24 surfaces are represented in such a way
that does not require expensive format conversions during pixel
packing and unpacking.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This mirrors a linear gradient by dobling its size and reflecting it
in the case that hardware does not support mirrored repeating.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This makes sure the journal is flushed after it reaches a certain
size, so that very large amounts of memory are not consumed if an
explicit flush is not triggered.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
This ensures that if the source surface does not have an alpha
component (such as those with format RGB24), it is not blended
as if it does.
Signed-off-by: George Matsumura <gmmatsumura01@bvsd.org>
