1. 15 Jan, 2021 1 commit
  2. 11 Jan, 2021 6 commits
  3. 07 Jan, 2021 2 commits
    • Uli Schlachter's avatar
      Slightly improve dealing with error snapshots · 66c99118
      Uli Schlachter authored
      An error in _cairo_surface_snapshot_copy_on_write() results in a
      snapshot in an error state and the snapshot's ->target could now point
      to a surface from _cairo_surface_create_in_error(). These surfaces e.g.
      have ->backend == NULL. Thus, anything looking at ->backend->type now
      explodes. This commit deals with two places which caused segfaults in
      this situation.
      
      There is no test case for this, because
      _cairo_surface_snapshot_copy_on_write() really is not supposed to fail.
      
      Found-while-investigating: #448Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      66c99118
    • Uli Schlachter's avatar
      Add a bounds check to cairo_cff_font_read_fdselect() · b1e81ee9
      Uli Schlachter authored
      The code in cairo-cff-subset.c parses a binary format without seeming to
      bother much with verifying the data. The result is that poppler can be
      used to cause an out-of-bounds write in cairo_cff_font_read_fdselect()
      via a crafted font file. Fix this by adding the needed length check.
      
      The other code in the file also contains lots of similar things. Since I
      cannot really fix everything properly, I'll just fix the one instance
      that was found by a fuzzer.
      
      No testcase is added, because this depends on a broken font that is
      quite large. Adding something this big to the test suite does not seem
      sensible.
      
      Fixes: cairo/cairo#451Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      b1e81ee9
  4. 06 Jan, 2021 3 commits
  5. 04 Jan, 2021 7 commits
  6. 31 Dec, 2020 1 commit
  7. 29 Dec, 2020 1 commit
  8. 27 Dec, 2020 1 commit
  9. 26 Dec, 2020 1 commit
  10. 25 Dec, 2020 3 commits
  11. 24 Dec, 2020 1 commit
  12. 23 Dec, 2020 1 commit
  13. 22 Dec, 2020 1 commit
  14. 19 Dec, 2020 1 commit
    • Uli Schlachter's avatar
      autoconf: Reject --enable-xml --disable-png · a012540d
      Uli Schlachter authored
      The xml surface depends on png. Before this commit, configuring with
      autogen.sh --disable-png --disable-svg --enable-xml resulted in a
      failing build:
      
      src/cairo-xml-surface.c: In function ‘_cairo_xml_emit_image’:
      src/cairo-xml-surface.c:673:14: error: implicit declaration of function
      ‘cairo_surface_write_to_png_stream’
      
      After this commit, configure instead rejects this combination with:
      
      checking whether cairo's xml surface backend feature could be enabled... no (requires --enable-png)
      configure: error:  xml surface backend feature could not be enabled
      
      Noticed-at: cairo/cairo!67 (comment 644347)Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      a012540d
  15. 15 Dec, 2020 5 commits
  16. 11 Dec, 2020 1 commit
  17. 05 Dec, 2020 4 commits
    • John Ralls's avatar
      dccaa917
    • Uli Schlachter's avatar
      Fix a leak in cairo-xcb's render compositor · eb75ce08
      Uli Schlachter authored
      The code here temporary replaces extents->clip with another clip to call
      a function. Afterwards, it restores the previous copy. The temporary
      clip is only freed when it still is pointed to by extents->clip.
      
      This logic is wrong. It is indeed possible that the clip is simplified
      and changes. In this case, the original clip is also correctly freed.
      However, this still means that we have to clean up and destroy the new
      clip. The previous code just leaked it.
      
      This was originally identified by Massimo in [1]. I am just committing
      his patch.
      
      [1]: https://bugs.freedesktop.org/show_bug.cgi?id=91267
      
      Fixes: cairo/cairo#24Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      eb75ce08
    • Uli Schlachter's avatar
      boilerplate-xcb: Avoid leaks on success · 2ceb279d
      Uli Schlachter authored
      This gets rid of the following two leaks reported by valgrind when successfully
      running a test with CAIRO_TEST_TARGET=xcb:
      
      8,000 bytes in 2 blocks are definitely lost in loss record 9 of 10
         at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
         by 0x4B7E135: read_packet (xcb_in.c:259)
         by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
         by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
         by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
         by 0x4B7D8C8: xcb_request_check (xcb_in.c:745)
         by 0x18D747: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:310)
         by 0x12906F: cairo_test_for_target (cairo-test.c:819)
         by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
         by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
         by 0x126921: main (cairo-test-runner.c:932)
      
      8,000 bytes in 2 blocks are definitely lost in loss record 10 of 10
         at 0x483877F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
         by 0x4B7E135: read_packet (xcb_in.c:259)
         by 0x4B7E135: _xcb_in_read (xcb_in.c:1031)
         by 0x4B7BF8E: _xcb_conn_wait (xcb_conn.c:516)
         by 0x4B7D6AE: wait_for_reply (xcb_in.c:516)
         by 0x4B7D7C0: xcb_wait_for_reply (xcb_in.c:546)
         by 0x18D45D: find_depth (cairo-boilerplate-xcb.c:154)
         by 0x18D45D: _cairo_boilerplate_xcb_create_render_0_0 (cairo-boilerplate-xcb.c:621)
         by 0x12906F: cairo_test_for_target (cairo-test.c:819)
         by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
         by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
         by 0x126921: main (cairo-test-runner.c:932)
      Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      2ceb279d
    • Uli Schlachter's avatar
      boilerplate-xcb: Avoid leaks on error · e3eaccb9
      Uli Schlachter authored
      Before this commit, running the test suite against a non-existing
      display under valgrind resulted in:
      
      $ ( cd test; DISPLAY=:2 CAIRO_TEST_TARGET=xcb valgrind --leak-check=full .libs/cairo-test-suite -f random-clip )
      [...]
      ==47359== 64 bytes in 2 blocks are definitely lost in loss record 1 of 7
      ==47359==    at 0x483AB65: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==47359==    by 0x18A272: cairo_boilerplate_xcalloc (cairo-boilerplate-system.c:65)
      ==47359==    by 0x18D652: _cairo_boilerplate_xcb_create_surface (cairo-boilerplate-xcb.c:269)
      ==47359==    by 0x12906F: cairo_test_for_target (cairo-test.c:819)
      ==47359==    by 0x12AAB5: _cairo_test_context_run_for_target (cairo-test.c:1555)
      ==47359==    by 0x126921: _cairo_test_runner_draw (cairo-test-runner.c:250)
      ==47359==    by 0x126921: main (cairo-test-runner.c:932)
      
      This commit fixes that by freeing the allocated memory in the error
      path.
      Signed-off-by: Uli Schlachter's avatarUli Schlachter <psychon@znc.in>
      e3eaccb9