GitLab

Fix _cairo_surface_paint not setting is_clear

Closes #283

See merge request cairo/cairo!104

Slightly improve dealing with error snapshots

See merge request cairo/cairo!92

Add a bounds check to cairo_cff_font_read_fdselect()

Closes #451

See merge request cairo/cairo!103

Apply small fix that was reported as an issue

Closes #385

See merge request cairo/cairo!105

Fixes: #385Signed-off-by: Uli Schlachter <psychon@znc.in>

In commit 10e58a4a I changed the code in cairo-surface.c to avoid
setting surface->is_clear = FALSE; in some situations where it was not
necessary, because the operation did not actually modify anything (it
returned CAIRO_INT_STATUS_NOTHING_TO_DO). However, that change
accidentally also caused _cairo_surface_paint() not to set
surface->is_clear = TRUE; in similar cases. That was unintended.

This commit fixes that by always setting is_clear = TRUE when necessary,
but keeps the optimisation of not setting is_clear = FALSE when not
necessary.

The connection to the below issue is that the issue happened with
surfaces with width=0. Clearing such a surface with CAIRO_OPERATOR_CLEAR
causes CAIRO_INT_STATUS_NOTHING_TO_DO and thus is_clear = TRUE was not
set. This error was later caught by a failed assertion.

Fixes: #283Signed-off-by: Uli Schlachter <psychon@znc.in>

An error in _cairo_surface_snapshot_copy_on_write() results in a
snapshot in an error state and the snapshot's ->target could now point
to a surface from _cairo_surface_create_in_error(). These surfaces e.g.
have ->backend == NULL. Thus, anything looking at ->backend->type now
explodes. This commit deals with two places which caused segfaults in
this situation.

There is no test case for this, because
_cairo_surface_snapshot_copy_on_write() really is not supposed to fail.

Found-while-investigating: #448Signed-off-by: Uli Schlachter <psychon@znc.in>

The code in cairo-cff-subset.c parses a binary format without seeming to
bother much with verifying the data. The result is that poppler can be
used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
via a crafted font file. Fix this by adding the needed length check.

The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.

Fixes: cairo/cairo#451Signed-off-by: Uli Schlachter <psychon@znc.in>

autoconf: Reject --enable-xml --disable-png

See merge request cairo/cairo!87

Fix compiler warnings in test suite

See merge request cairo/cairo!98

meson: fix macOS build and add macOS ci

Closes #441

See merge request cairo/cairo!101

Fixes #441

Added checks for failed strdups in cairo-recording-surface.c

See merge request cairo/cairo!99

Fix copying tags in a recording surface

Closes #448

See merge request cairo/cairo!93

Add a bounds check to cairo_cff_parse_charstring()

Closes #444

See merge request cairo/cairo!90

Fix some enum mixups, mostly cairo_status_t vs cairo_test_status_t.

ci: add meson android aarch64 build

See merge request cairo/cairo!96

Fix two uninitialised variables in _cairo_recording_surface_snapshot()

See merge request cairo/cairo!95

Signed-off-by: Uli Schlachter <psychon@znc.in>

The code was copying from the wrong member of an union. This caused a
huge num_dashes value to be read, which then caused a so large memory
allocation that malloc returned an error.

Fixes: #448Signed-off-by: Uli Schlachter <psychon@znc.in>

The code in cairo-cff-subset.c parses a binary font format without
seeming to bother much verifying the data. The result is that poppler
can be used to cause an out-of-bounds access in
cairo_cff_parse_charstring() via a crafted font file. Fix this by adding
the needed length check.

The other code in the file also contains lots of similar things. Since I
cannot really fix everything properly, I'll just fix the one instance
that was found by a fuzzer.

No testcase is added, because this depends on a broken font that is
quite large. Adding something this big to the test suite does not seem
sensible.

Fixes: cairo/cairo#444Signed-off-by: Uli Schlachter <psychon@znc.in>

boilerplate-xcb: Avoid leaks on error

See merge request cairo/cairo!82

Fix a leak in cairo-xcb's render compositor

Closes #24

See merge request cairo/cairo!83

Fix mask usage in image-compositor

See merge request cairo/cairo!85

meson: Generate cairo-script-interpreter.pc needed by GTK+

See merge request cairo/cairo!70

The xml surface depends on png. Before this commit, configuring with
autogen.sh --disable-png --disable-svg --enable-xml resulted in a
failing build:

src/cairo-xml-surface.c: In function ‘_cairo_xml_emit_image’:
src/cairo-xml-surface.c:673:14: error: implicit declaration of function
‘cairo_surface_write_to_png_stream’

After this commit, configure instead rejects this combination with:

checking whether cairo's xml surface backend feature could be enabled... no (requires --enable-png)
configure: error:  xml surface backend feature could not be enabled

Noticed-at: cairo/cairo!67 (comment 644347)Signed-off-by: Uli Schlachter <psychon@znc.in>

meson: fix library versioning

Closes #442

See merge request cairo/cairo!84

Fixes #442

Ref and destroy the cairo surface handed off to CoreGraphics.

Closes #420

See merge request cairo/cairo!52

The code here temporary replaces extents->clip with another clip to call
a function. Afterwards, it restores the previous copy. The temporary
clip is only freed when it still is pointed to by extents->clip.

This logic is wrong. It is indeed possible that the clip is simplified
and changes. In this case, the original clip is also correctly freed.
However, this still means that we have to clean up and destroy the new
clip. The previous code just leaked it.

This was originally identified by Massimo in [1]. I am just committing
his patch.

[1]: https://bugs.freedesktop.org/show_bug.cgi?id=91267

Fixes: cairo/cairo#24Signed-off-by: Uli Schlachter <psychon@znc.in>

This gets rid of the following two leaks reported by valgrind when successfully
running a test with CAIRO_TEST_TARGET=xcb:

8,000 bytes in 2 blocks are definitely lost in loss record 9 of 10
   at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x4B7E135: read_packet (xcb_in.c:259)
   by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
   by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
   by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
   by 0x4B7D8C8: xcb_request_check (xcb_in.c:745)
   by 0x18D747: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:310)
   by 0x12906F: cairo_test_for_target (cairo-test.c:819)
   by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
   by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
   by 0x126921: main (cairo-test-runner.c:932)

8,000 bytes in 2 blocks are definitely lost in loss record 10 of 10
   at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x4B7E135: read_packet (xcb_in.c:259)
   by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
   by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
   by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
   by 0x4B7D7C0: xcb_wait_for_reply (xcb_in.c:546)
   by 0x18D45D: find_depth (cairo-boilerplate-xcb.c:154)
   by 0x18D45D: _cairo_boilerplate_xcb_create_render_0_0 (cairo-boilerplate-xcb.c:621)
   by 0x12906F: cairo_test_for_target (cairo-test.c:819)
   by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
   by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
   by 0x126921: main (cairo-test-runner.c:932)
Signed-off-by: Uli Schlachter <psychon@znc.in>

Before this commit, running the test suite against a non-existing
display under valgrind resulted in:

$ ( cd test; DISPLAY=:2 CAIRO_TEST_TARGET=xcb valgrind --leak-check=full .libs/cairo-test-suite -f random-clip )
[...]
==47359== 64 bytes in 2 blocks are definitely lost in loss record 1 of 7
==47359==    at 0x483AB65: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==47359==    by 0x18A272: cairo_boilerplate_xcalloc (cairo-boilerplate-system.c:65)
==47359==    by 0x18D652: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:269)
==47359==    by 0x12906F: cairo_test_for_target (cairo-test.c:819)
==47359==    by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
==47359==    by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
==47359==    by 0x126921: main (cairo-test-runner.c:932)

This commit fixes that by freeing the allocated memory in the error
path.
Signed-off-by: Uli Schlachter <psychon@znc.in>