[cairo] [PATCH] win32: Attempt to solve a nasty use-after-free by the caller of clone_similar()

Jeff Muizelaar jeff at infidigm.net
Thu Feb 26 12:12:15 PST 2009

On Thu, Feb 26, 2009 at 01:42:04PM -0500, Owen Taylor wrote:
> It would be instructive to me to have detail on the actual bug here. I
> agree that if you clone_similar() a Win32 surface, you can get a pointer
> to the ->image internal object, and that doesn't have a backreference to
> the win32 surface.
> But it's hard for me to see how that would create a problem, unless
> someone was keeping the clone past the scope of the cairo operation.

Here's what happens:

src = a win32 surface without an associated image surface
dest = an image surface

	- this creates a new win32 surface (temp_win32) with an associated image surface 
	  that the contents of src are BitBlt'd onto. The image surface
	  uses bits from CreateDIBSection()

	- returns a new reference to temp_win32.image

	- destroys temp_win32
		- win32_finish will DeleteObject() the bits associated
		  with temp_win32.image

at this point we have a reference to an image surface that has had it's
bits deleted. This reference is used for compositing later on which
causes a crash.


More information about the cairo mailing list