[cairo] [PATCH] win32: Attempt to solve a nasty use-after-free by the caller of clone_similar()
jeff at infidigm.net
Thu Feb 26 12:12:15 PST 2009
On Thu, Feb 26, 2009 at 01:42:04PM -0500, Owen Taylor wrote:
> It would be instructive to me to have detail on the actual bug here. I
> agree that if you clone_similar() a Win32 surface, you can get a pointer
> to the ->image internal object, and that doesn't have a backreference to
> the win32 surface.
> But it's hard for me to see how that would create a problem, unless
> someone was keeping the clone past the scope of the cairo operation.
Here's what happens:
src = a win32 surface without an associated image surface
dest = an image surface
- this creates a new win32 surface (temp_win32) with an associated image surface
that the contents of src are BitBlt'd onto. The image surface
uses bits from CreateDIBSection()
- returns a new reference to temp_win32.image
- destroys temp_win32
- win32_finish will DeleteObject() the bits associated
at this point we have a reference to an image surface that has had it's
bits deleted. This reference is used for compositing later on which
causes a crash.
More information about the cairo