[cairo-commit] 2 commits - src/cairo-svg-surface.c

[GitLab Mirror]

 src/cairo-svg-surface.c |    1 -
 1 file changed, 1 deletion(-)

New commits:
commit 5b662c925cc34d3a35edfc6a6bb0077d1701bcf0
Merge: 061430509 d7cb417e0
Author: Uli Schlachter <psychon at znc.in>
Date:   Fri Apr 22 16:34:39 2022 +0000

    Merge branch 'fix-uaf-stream_internal' into 'master'
    
    Fix a use after free in _cairo_svg_surface_create_for_stream_internal
    
    Closes #561
    
    See merge request cairo/cairo!315

commit d7cb417e0edde2756ec9f19ca1eb99fd33133cd0
Author: Feysh INC <opensource at feysh.com>
Date:   Fri Apr 22 21:24:09 2022 +0800

    Fix a use after free in _cairo_svg_surface_create_for_stream_internal
    
    When `_cairo_svg_surface_create_for_document()` failed, it will free the
    `document` by `_cairo_svg_document_destroy()`. But after `_cairo_svg_surface_create_for_document` return a error status, the `document` is still used and destoryed by `_cairo_svg_document_destroy()`.
    
    We remove the redundant `_cairo_svg_document_destroy()` in `_cairo_svg_surface_create_for_stream_internal` to avoid this bug.
    
    This fixes #561.
    
    Signed-off-by: Feysh INC <opensource at feysh.com>

diff --git a/src/cairo-svg-surface.c b/src/cairo-svg-surface.c
index c6d9382b3..dfb72b2ad 100644
--- a/src/cairo-svg-surface.c
+++ b/src/cairo-svg-surface.c
@@ -1142,7 +1142,6 @@ _cairo_svg_surface_create_for_stream_internal (cairo_output_stream_t	*stream,
     surface = _cairo_svg_surface_create_for_document (document, CAIRO_CONTENT_COLOR_ALPHA,
 						      width, height, TRUE);
     if (surface->status) {
-	status = _cairo_svg_document_destroy (document);
 	return surface;
     }