A use after free bug in src/cairo-svg-surface.c
Hello,
our team find a use after free bug in the source codes of current project.
Bug File: src/cairo-svg-surface.c
Bug Function: _cairo_svg_surface_create_for_stream_internal
We have provided a html-formatted bug description in attachment.
Briefly describe this bug:
In function _cairo_svg_surface_create_for_stream_internal()
, document
is released in the CLEANUP
branch of the callee _cairo_svg_surface_create_for_document()
and then the callee returns an error status.
After, _cairo_svg_document_destroy()
is called again and document
is dereferenced with the statement document->refcount--
, which is a use after free bug. If the execution continues, the document
will be also freed again and cause double free bug.
Attachment
cairo-svg-surface.c_clangsa_d0d9423ac1178240b5bd45a770c9bc44.plist.html
As this bug could be security-related, we keep this issue as confidential.
Feiyu Security Team