[cairo] crash copying recording surface to PDF surface with tags

Ben Pfaff blp at cs.stanford.edu
Sat Dec 26 18:46:59 UTC 2020

On Sat, Dec 26, 2020 at 10:25 AM Uli Schlachter <psychon at znc.in> wrote:
> Am 26.12.20 um 19:12 schrieb Ben Pfaff:
> [...]> I do still see the following use of an uninitialized value (I forgot
> > to report this before, sorry!):
> [...]
> > and the following memory leak:
> When do you see those? I only have debian's libcairo and current
> git/master. Of course, debian's libcairo gives me a crash. On current
> master, valgrind only reports six memory leaks from libpixman's
> initialisation code and no use of an uninitialized value.
> Would it be possible for you to check if this was already fixed in git?
> (You still have to apply the patch to fix that crash to master.)

OK.  Sorry, I should have done that before.  I was lazy, I guess.  Now,
I have applied the two patches to tip of master on Git, commit
979382dd302b ("Merge branch 'boilerplate-leak' into 'master'").

The memory leak is fixed.

I do still see the use of an uninitialized value, though.  I added
--track-origins to the valgrind command line and that gave the following
additional information:

    Uninitialised value was created by a heap allocation
      at 0x483877F: malloc (vg_replace_malloc.c:307)
      by 0x48CF16E: _cairo_recording_surface_snapshot (cairo-recording-surface.c:1563)
      by 0x48E9D96: _cairo_surface_snapshot_copy_on_write (cairo-surface-snapshot.c:193)
      by 0x48EDAE0: _cairo_surface_detach_snapshot (cairo-surface.c:349)
      by 0x48EDA4C: _cairo_surface_detach_snapshots (cairo-surface.c:334)
      by 0x48EF5B1: _cairo_surface_flush (cairo-surface.c:1626)
      by 0x48EEBE4: _cairo_surface_finish_snapshots (cairo-surface.c:1019)
      by 0x48EEA4C: cairo_surface_destroy (cairo-surface.c:963)
      by 0x1094E8: main (cairo-test.c:65)

Indeed, when I apply the following, the warning goes away:

diff --git a/src/cairo-recording-surface.c b/src/cairo-recording-surface.c
index 6df8b0821..1765e7da6 100644
--- a/src/cairo-recording-surface.c
+++ b/src/cairo-recording-surface.c
@@ -1561,6 +1561,7 @@ _cairo_recording_surface_snapshot (void *abstract_other)
     cairo_status_t status;
     surface = _cairo_malloc (sizeof (cairo_recording_surface_t));
+    memset (surface, 0, sizeof (cairo_recording_surface_t));
     if (unlikely (surface == NULL))
 	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));


More information about the cairo mailing list