To avoid any possibility of uninitialized memory.
The exceptions are:
- where the allocation is immediately overwritten by a memcpy or struct copy.
- arrays of structs to avoid any performance impact (except when the
array is returned by the public API).
Before this commit, calling cairo_device_finish() on a cairo-script
context did not actually do anything in the backend. Thus, it was
possible to continue emitting output on the script context even after it
was finished, which means that API user had no way of preventing
use-after-free bugs in their write callback. Bug 277 triggers this via
detaching a snapshot, but I guess one could also simply continue drawing
to a script surface.
This commit implements the finish function by closing the underlying
stream.
However, that was not enough to fix things. This commit also turns
writing into a stream into a no-op after the stream was closed.
I checked that the new test case actually fails before this commit and
is indeed fixed by it.
Fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/277
Signed-off-by: Uli Schlachter <psychon@znc.in>
Run the command below suggested by geirha in ##sed@irc.freenode.net.
git grep -l 'http://.*gnome.org' | xargs sed -i 's|http\(://\([[:alnum:].-]*\.\)\{0,1\}gnome\.org\)|https\1|g'
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
_cairo_malloc(0) always returns NULL, but has not been used
consistently. This patch replaces many calls to malloc() with
_cairo_malloc().
Fixes: fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Until now fopen was used on Windows to open files for reading and
writing. This assumed however that the filename would be encoded in the
current codepage, which is a major inconvenience and makes it even
impossible to use filenames that use characters from more than one
codepage. This patch enforces the use of UTF-8 filenames on all
platforms.
Based on the work of Owen Taylor (https://lists.cairographics.org/archives/cairo/2007-February/009591.html)
Refactor out a cairo_get_locale_decimal_point() routine to handle a case
where localeconv() is not available.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=70492
Reviewed-by: Bryce Harrington <b.harrington@samsung.com>
[edit: Condensed cairo_get_locale_decimal_point and conditionalized
locale.h inclusion. -- bryce]
Sometimes as a result of rounding errors in matrix transformations the
matrices in ps/pdf output look like:
0.000000000000000061 1 1 -0.000000000000000061 0 842 cm
This patch rounds to zero matrix elements that are very small compared to
other elements in the same matrix.
Having spent the last dev cycle looking at how we could specialize the
compositors for various backends, we once again look for the
commonalities in order to reduce the duplication. In part this is
motivated by the idea that spans is a good interface for both the
existent GL backend and pixman, and so they deserve a dedicated
compositor. xcb/xlib target an identical rendering system and so they
should be using the same compositor, and it should be possible to run
that same compositor locally against pixman to generate reference tests.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
P.S. This brings massive upheaval (read breakage) I've tried delaying in
order to fix as many things as possible but now this one patch does far,
far, far too much. Apologies in advance for breaking your favourite
backend, but trust me in that the end result will be much better. :)
What we want to use is size_t, but we don't want the implied POSIX
dependency. However, POSIX does say that size_t is an unsigned integer
that is no longer than a long, so it would appear safe to use an
unsigned long as a replacement. Safer at least than unsigned int.
I updated the Free Software Foundation address using the following script.
for i in $(git grep Temple | cut -d: -f1 )
do
sed -e 's/59 Temple Place[, -]* Suite 330, Boston, MA *02111-1307[, ]* USA/51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA/' -i "$i"
done
Fixes http://bugs.freedesktop.org/show_bug.cgi?id=21356
A new meta-surface backend for serialising drawing operations to a
CairoScript file. The principal use (as currently envisaged) is to provide
a round-trip testing mechanism for CairoScript - i.e. we can generate
script files for every test in the suite and check that we can replay them
with perfect fidelity. (Obviously this does not provide complete coverage
of CairoScript's syntax, but should give reasonable coverage over the
operators.)
Allow the user to specify a NULL write_func for the output stream so that
a dummy surface can be created, for example, for querying target font
options or font extents.
Currently we do not perform any sanity checks at the user entry point and
will generate a mysterious SEGV during cairo_surface_finish() - which may
not immediately be obvious that it is due to a NULL write_func.
Principally to support creating a dummy vector surface (i.e.
cairo_ps_surface_create (NULL, 1, 1)) that can be used to determine font
extents (or target font options) before opening an output file, but also
because we currently fail to do any sanity checking at the entry point.
The %g conversion specifier is for printing numbers that were at some
time stored in a cairo_fixed_t type and as a result have their
precision limited by the size of CAIRO_FIXED_FRAC_BITS.
Using %g will limit the number of digits after the decimal point to
the minimum required to preserve the available precision.
strdup() and friends require at least _BSD_SOURCE or
_XOPEN_SOURCE >= 500 to be defined for the prototypes to be included.
For the time being, add the define to each source file that requires one
of the BSD functions.
Need to use __WIN32__ instead of _MSC_VER to select _snprintf in
place of snprintf when cross compiling. Otherwise all all %ld
arguments get misprinted resulting in broken PDF output.
Use a utility function to wrap an incoming error status into a new
error stream. As a side-effect, all error streams must be destroyed as
in the general case the caller can not distinguish between a static
error object and one allocated to hold an unusual error status.
After using fopen() and friends check the global errno to determine the
most appropriate error return - especially important when running
memfault, where correct reporting of NO_MEMORY errors is required.
The previous commit increased the precision of floats from 6 digits
after the decimal point to 18 digits to correct rounding errors with
very small numbers. However most of the time this extra precision is
not required and results in increased PS/PDF output.
This commit makes the precision after the decimal point 6 significant
digits. For example:
1.234567
0.123456
0.00123456
0.00000000123456
We write floats using %f as the scientific format used by smarter %g is
invalid in PS/PDF. %f however by default rounds to five digits after
decimal point. This was causing precision loss and making the newly
added degenerate-pen test fail for PDF. We now print up to 18 digits
which is as many bits doubles can accomodate. We can be smarter, but
that's for another commit.
Every time we assign or return a hard-coded error status wrap that value
with a call to _cairo_error(). So the idiom becomes:
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
or
return _cairo_error (CAIRO_STATUS_INVALID_DASH);
This ensures that a breakpoint placed on _cairo_error() will trigger
immediately cairo detects the error.
As previously implemented, there's no essential information in the
return value from _cairo_dotostr, (the caller can simply use strlen
to recompute the same value, which is what the only caller is already
doing).
There would be real information in a return value which would return
the result from the call to snprintf for the case where the buffer is
not large enough for the number being printed.
This is necessary to avoid many portability problems as cairoint.h includes
config.h. Without a test, we will regress again, hence add it.
The inclusion idiom for cairo now is:
#include "cairoint.h"
#include "cairo-something.h"
#include "cairo-anotherthing-private.h"
#include <some-library.h>
#include <other-library/other-file.h>
Moreover, some standard headers files are included from cairoint.h and need
not be included again.
Previously, the convention was that static ones started with cairo_, but
renamed to start with _cairo_ when they were needed from other files and
became cairo_private instead of static...
This is error prune indeed, and two symbols were already violating. Now
all nil objects start with _cairo_.
