The problem is _cairo_recording_surface_replay_and_create_regions()
stores the cairo_recording_region_type_t in the same structure as the
recording commands. This does not work well when the recording surface
is used as source by multiple surfaces
Fix this by moving the cairo_recording_region_type_t into a separate
struct cairo_recording_regions_array_t. This struct is stored in a
list that allows multiple create regions results to be store in the
surface.
The new function _cairo_recording_surface_region_array_attach() is
used to create a new cairo_recording_regions_array_t, attach it to the
recording surface and return a unique region id.
The _cairo_recording_surface_replay_and_create_regions() and
_cairo_recording_surface_replay_region() functions use this region id
to identify the cairo_recording_regions_array_t.
To handle nested recording surfaces, when replaying a recording, the
region id is passed to the target as an extra parameter in the surface
pattern. The wrapper surface makes a temporary copy of the pattern to
ensure the snapshot pattern in the recording surface is not modified.
cairo_recording_regions_array_t has a reference count so the target
can hold on to the cairo_recording_regions_array_t after the paginated
surface has called _cairo_recording_surface_region_array_remove().
WINVER and _WIN32_WINNT macros were defined in each source files and
headers that were including <windows.h>. However, because DirectWrite
requires new Windows API, some files included <windows.h> without the
version macros. This inconsistency sometimes caused troubles.
Define the version macros in meson.build.
Before this change, images with RGB30, RGB96F, and RGBA128F formats
would have been given garbage xrender formats; now such images
use the fallback path and are converted to formats with an xrender
equivalent.
`_cairo_status_set_error` was using `_cairo_atomic_int_cmpxchg` to set
a `cairo_status_t` variable by casting a `cairo_status_t*` to
`cairo_atomic_int_t*`. `cairo_atomic_int` has a generic implementation
which is using a mutex. In the implementation, `cairo_atomic_int_t`
was typedef-ed to `cairo_atomic_intptr_t`. In a typical 64bit system,
cairo_atomic_intptr_t is 64bit and cairo_status_t is 32bit,
_cairo_status_set_error didn't work as expected.
Define `cairo_atomic_int_t` as an alias of `int`.
Added an assertion in `_cairo_status_set_error` to ensure
that `*err` has the same size with `cairo_atomic_int_t`.
Fixescairo/cairo#606
GeometryRecorder class was calling _controlfp_s with MCW_PC to reset
the floating point precision to default. However, MCW_PC isn't
supported for ARM or x64 platforms. It reports an assertion failure
for them. And, Cairo isn't changing the MCW_PC setting. Removed the
calls. Also, removed `GetFixedX` and `GetFixedY` methods because they
called only `_cairo_fixed_from_double`.
Fixescairo/cairo#566
Scaled font creation may fail if the font size is very large on
win32. But, don't leave the font face in an error state in such
case.
Fixescairo/cairo#607
There was an assertion in
`_cairo_recording_surface_acquire_source_image` to ensure the surface
isn't unbounded. However, this assertion was failing for
`record-paint` test on Windows.
Removed the assertion and return `CAIRO_INT_STATUS_UNSUPPORTED` if the
surface is unbounded.
Fixescairo/cairo#619
height (instead of integers).
Both cairo_pdf_surface_set_size and cairo_ps_surface_set_size passed on
their width and height arguments (of type double) directly to
_cairo_paginated_surface_set_size(cairo_paginated_surface_t*, int, int),
so the width and height were truncated.
A small part of the surface was then inaccessible for drawing (stripes
on the right and bottom of the surface).
This fixes that.
This svg
<svg /><path stroke-dasharray=""fill="url(# "id=""/>
Lead to two memory leaks like the following:
98 bytes in 98 blocks are definitely lost in loss record 2 of 11
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4EB8789: strdup (strdup.c:42)
by 0x493C450: save_graphics_state (cairo-svg-glyph-render.c:2894)
This happened because the value of gs->dash_array was replaced without
freeing the previous value. This commit adds the missing free and fixes
the leak.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54830
Signed-off-by: Uli Schlachter <psychon@znc.in>
The original check-def.sh called make. In meson, check-def.sh is
replaced by two shell scripts, one for generating cairo.def, the other
for comparing with the library symbols.
The library filename appended to the cairo.def has been omitted as
this is only reqired in autotools builds where the cairo.def is also
to generate cairo.dll in the windows build.
make-cairo-def.sh is based on the cairo.def target in Makefile.am.
meson-check-def.sh is based on check-def.sh
Inspired by [1], I looked into the other functions in
cairo-image-info.c. This commit fixes the possible out-of-bound reads
that I found just by staring at the code.
_jpx_next_box() would happily read beyond the end of the data via
get_unaligned_be32(). This commit adds checks that at least for bytes of
data are available.
Additionally, I made this function check that its returned pointer is
within bounds, just because I found this easier to reason about.
Also, _jpx_extract_info() did not check that it had enough data to read.
This is fixed by making the function fallible and giving it information
about the end of data.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/386
Signed-off-by: Uli Schlachter <psychon@znc.in>
In a recent MR [1], Adrian Johnson writes:
For additional safety you could change the unsigned long to size_t
since long is 32-bits on Win64. The CFF spec says the offset size used
in decode_index_offset must be between 1 and 4 so you could range
check that to avoid overflowing the offset.
This commit implements exactly that.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
Signed-off-by: Uli Schlachter <psychon@znc.in>
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
I was looking at [1]. While trying to reproduce the problem that is
described there, valgrind reported:
Argument 'size' of function malloc has a fishy (possibly negative) value: -8
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895)
by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587)
by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979)
This commit is about fixing the above.
The function decode_index_offset() returns an unsigned long. This value
was cast to an "int" in cff_index_read(), leading to a possibility for
over/underflow. Also, nothing checked that an entry in the index table
had a non-zero length, leading to an entry with length -8 as reported by
valgrind.
Fix this by using "unsigned long" for the local variables and checking
the length to be non-negative.
With the above fixed, the original test case started crashing.
Apparently, cairo_cff_font_read_name() does not expect nor handle
failures from cff_index_read(). Thus, a check for this case was added to
make the new crash go away.
[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324
Signed-off-by: Uli Schlachter <psychon@znc.in>
In _cairo_type3_glyph_surface_create(), we call
_cairo_surface_clipper_init(), but nothing ever called
_cairo_surface_clipper_reset() in this call. This commit adds that
missing call.
This fixes a leak of a clip.
Since I have no clue about this code (does _cairo_pdf_operators_fini()
possible use the clipper?), I did the patch like this. This should avoid
any possibility for a use-after-free.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51043
Signed-off-by: Uli Schlachter <psychon@znc.in>
According to valgrind, there is a use-after-free here. The function
_cairo_ps_surface_emit_surface() temporarily replaces some member of a
struct and then later re-sets it. However, there is an early return
possible that would skip that part of the code.
This commit moves the re-set up so that no freed pointers are left
behind. This seems to fix the crash.
Signed-off-by: Uli Schlachter <psychon@znc.in>
