clip: Fix crash on destroy (!11) · Merge requests · cairo / cairo

Florian Muellner requested to merge fmuellner/cairo:clip-box-free into master Feb 11, 2019

Commit cb871c6c exposed a bug in the memory handling of clip boxes: For a single box, no memory is allocated and the clip's embedded_box is used instead - or, after a call to unsteal_boxes(), another clip's embedded_box.

The existing check doesn't consider the latter, and ends up with an invalid free() call that results in a crash.

Instead, check for the number of boxes which is the condition used through-out the code to whether memory needs to be allocated or not.

Fixes #358 (closed)

clip: Fix crash on destroy

Merge request reports