Skip to content

use-after-scope in cairo_fill

asan complains about this:

==386746==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd3ccebdfc at pc 0x7f783d5eaaee bp 0x7ffd3cceba80 sp 0x7ffd3cceba70
READ of size 4 at 0x7ffd3ccebdfc thread T0
    #0 0x7f783d5eaaed in _add_clipped_edge ../src/cairo-polygon.c:351
    #1 0x7f783d5ebba3 in _cairo_polygon_add_edge ../src/cairo-polygon.c:520
    #2 0x7f783d5ebc82 in _cairo_polygon_add_external_edge ../src/cairo-polygon.c:530
    #3 0x7f783d582149 in _cairo_filler_line_to ../src/cairo-path-fill.c:63
    #4 0x7f783d588d9c in _cairo_path_fixed_interpret ../src/cairo-path-fixed.c:831
    #5 0x7f783d582a44 in _cairo_path_fixed_fill_to_polygon ../src/cairo-path-fill.c:147
    #6 0x7f783d6204fe in _cairo_spans_compositor_fill ../src/cairo-spans-compositor.c:1151
    #7 0x7f783d5126de in _cairo_compositor_fill ../src/cairo-compositor.c:203
    #8 0x7f783d5571f9 in _cairo_image_surface_fill ../src/cairo-image-surface.c:1003
    #9 0x7f783d647f2f in _cairo_surface_fill ../src/cairo-surface.c:2424
    #10 0x7f783d52ebea in _cairo_gstate_fill ../src/cairo-gstate.c:1312
    #11 0x7f783d51cca4 in _cairo_default_context_fill ../src/cairo-default-context.c:1057
    #12 0x7f783d6812d6 in cairo_fill ../src/cairo.c:2421

[...]

Address 0x7ffd3ccebdfc is located in stack of thread T0 at offset 76 in frame
    #0 0x7f783d62005a in _cairo_spans_compositor_fill ../src/cairo-spans-compositor.c:1104

  This frame has 4 object(s):
    [48, 52) 'fill_rule' (line 1101)
    [64, 80) 'limits' (line 1141) <== Memory access at offset 76 is inside this variable
    [96, 688) 'boxes' (line 1112)
    [816, 1784) 'polygon' (line 1130)

[...]

And it is right.

cairo-spans-compositor.c:1052 has

  {
    cairo_box_t limits;
    _cairo_box_from_rectangle (&limits, &extents->unbounded);
    _cairo_polygon_init (&polygon, &limits, 1);
  }

which initialized an on-stack box struct, then copies a pointer to it into the polygon, and ... then the struct immediately goes out of scope.

Not clear what the best fix is. I guess the box needs to live next to the polygon on the stack, to prevent it going out of scope too early.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information