Fix a use after free in _cairo_svg_surface_create_for_stream_internal (!315) · Merge requests · cairo / cairo

Feysh INC. requested to merge Feysh/cairo:fix-uaf-stream_internal into master Apr 22, 2022

When _cairo_svg_surface_create_for_document() failed, it will free the document by _cairo_svg_document_destroy(). But after _cairo_svg_surface_create_for_document return a error status, the document is still used and destoryed by _cairo_svg_document_destroy().

We remove the redundant _cairo_svg_document_destroy() in _cairo_svg_surface_create_for_stream_internal to avoid this bug.

This fixes #561 (closed).

Signed-off-by: Feysh INC opensource@feysh.com

Admin message

Fix a use after free in _cairo_svg_surface_create_for_stream_internal

Merge request reports