diff --git a/cairo-xlib-double-free.patch b/cairo-xlib-double-free.patch new file mode 100644 index 0000000..ec3e60d --- /dev/null +++ b/cairo-xlib-double-free.patch @@ -0,0 +1,60 @@ +From c088ba1faab9579efdaed7a524124901a17801b0 Mon Sep 17 00:00:00 2001 +From: Uli Schlachter +Date: Sat, 18 Jun 2016 15:08:52 +0200 +Subject: [PATCH] xlib: Fix double free in _get_image_surface() + +If XShmGetImage() fails, the code tries to continue with its normal, +non-shared-memory path. However, the image variable, which was previously set to +NULL, now points to an already-destroyed surface, causing a double-free when the +function cleans up after itself (actually, its an assertion failure because the +reference count of the surface is zero, but technically this is still a double +free). + +Fix this by setting image=NULL after destroying the surface that this refers to, +to make sure this surface will not be destroyed again. + +While we are here (multiple changes in a single commit are bad...), also fix the +cleanup done in bail. In practice, &image->base should be safe when image==NULL, +because this just adds some offset to the pointer (the offset here is actually +zero, so this doesn't do anything at all). However, the C standard does not +require this to be safe, so let's handle this case specially. + +Note that anything that is fixed by this change is still buggy, because the only +reason why XShmGetImage() could fail would be BadDrawable, meaning that the +target we draw to does not exist or was already destroyed. This patch will +likely just cause X11 errors elsewhere and drawing to (possible) invalid +drawables is not supported by cairo anyway. This means that if SHM fails, the +following fallback code has a high chance of failing, too. + +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=91967 +Signed-off-by: Uli Schlachter +--- + src/cairo-xlib-surface.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c +index 3f407c3..555c1fe 100644 +--- a/src/cairo-xlib-surface.c ++++ b/src/cairo-xlib-surface.c +@@ -807,6 +807,7 @@ _get_image_surface (cairo_xlib_surface_t *surface, + } + + cairo_surface_destroy (&image->base); ++ image = NULL; + } + } + +@@ -1011,7 +1012,8 @@ _get_image_surface (cairo_xlib_surface_t *surface, + cairo_device_release (&display->base); + + if (unlikely (status)) { +- cairo_surface_destroy (&image->base); ++ if (image) ++ cairo_surface_destroy (&image->base); + return _cairo_surface_create_in_error (status); + } + +-- +2.8.1 + + diff --git a/cairo.changes b/cairo.changes index 404fff1..6c24ca4 100644 --- a/cairo.changes +++ b/cairo.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Sep 5 07:36:33 UTC 2016 - badshah400@gmail.com + +- Add cairo-xlib-double-free.patch to fix double free in + _get_image_surface(); patch taken from upstream git (fdo#91967, + boo#997189). + ------------------------------------------------------------------- Wed Jul 20 21:23:25 CEST 2016 - hpj@suse.com diff --git a/cairo.spec b/cairo.spec index 1db9866..5683ae9 100644 --- a/cairo.spec +++ b/cairo.spec @@ -33,6 +33,8 @@ Patch0: cairo-modules-no-version.patch Patch2: cairo-xlib-endianness.patch # PATCH-FIX-UPSTREAM cairo-bsc958844-deadlock-on-scaled-font-cache-reset.patch fdo#93891 bsc#958844 hpj@suse.com -- Fix mutex deadlock on certain documents. Patch3: cairo-bsc958844-deadlock-on-scaled-font-cache-reset.patch +# PATCH-FIX-UPSTREAM cairo-xlib-double-free.patch fdo#91967 boo#997189 badshah400@gmail.com -- xlib: Fix double free in _get_image_surface(); patch taken from upstream git. +Patch4: cairo-xlib-double-free.patch BuildRequires: gtk-doc # Needed by patch0 BuildRequires: libtool @@ -143,6 +145,7 @@ cairo. %patch0 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build # Needed by patch0 and patch1