[cairo] pixman crash from setting clip region on image surface
(patch)
Vladimir Vukicevic
vladimir at pobox.com
Sat May 8 01:59:02 PDT 2004
Hi Carl,
Carl Worth wrote:
> On Wed, 05 May 2004 20:21:37 -0700, Vladimir Vukicevic wrote:
>
>>The attached patch fixes this; just a patch to icimage.c to check if the
>>region is not NULL before setting a new clipping region.
>
> Thanks. This is committed.
More problems on this front, but I'm not sure what the fix is. When
pixman gets a clip region set via pixman_image_set_clip_region, it takes
ownership of this region and later destroys it in
pixman_image_destroyClip when the clip region is changed.
However, cairo also keeps track of the clip region in
gstate->clip.region, and calls pixman_region_destroy on it in
_cairo_gstate_fini, among others. So, given that cairo creates a region
in _cairo_gstate_clip, and then assigns it to gstate->clip.region and
calls _cairo_surface_set_clip_region() (which in turn calls
pixman_image_set_clip_region) using the same pointer, we end up with a
double free in many places where pixman_region_destroy() is called in
cairo_gstate.c.
One solution is to always create a copy of the region before calling
_cairo_surface_set_clip_region (or that this function creates a copy
before calling the back end implementation); however, this would mean
that all the back ends would have to agree to clean up that region if
they don't use pixman_image_set_clip_region().
Any thoughts on how to fix this?
Thanks,
- Vlad
More information about the cairo
mailing list