Accepting request 424790 from home:badshah400:branches:GNOME:Factory

Haven't tested if this actually fixes boo#997189 or not...

OBS-URL: https://build.opensuse.org/request/show/424790
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/cairo?expand=0&rev=107

cairo-xlib-double-free.patch

@@ -0,0 +1,60 @@
+From c088ba1faab9579efdaed7a524124901a17801b0 Mon Sep 17 00:00:00 2001
+From: Uli Schlachter <psychon@znc.in>
+Date: Sat, 18 Jun 2016 15:08:52 +0200
+Subject: [PATCH] xlib: Fix double free in _get_image_surface()
+
+If XShmGetImage() fails, the code tries to continue with its normal,
+non-shared-memory path. However, the image variable, which was previously set to
+NULL, now points to an already-destroyed surface, causing a double-free when the
+function cleans up after itself (actually, its an assertion failure because the
+reference count of the surface is zero, but technically this is still a double
+free).
+
+Fix this by setting image=NULL after destroying the surface that this refers to,
+to make sure this surface will not be destroyed again.
+
+While we are here (multiple changes in a single commit are bad...), also fix the
+cleanup done in bail. In practice, &image->base should be safe when image==NULL,
+because this just adds some offset to the pointer (the offset here is actually
+zero, so this doesn't do anything at all). However, the C standard does not
+require this to be safe, so let's handle this case specially.
+
+Note that anything that is fixed by this change is still buggy, because the only
+reason why XShmGetImage() could fail would be BadDrawable, meaning that the
+target we draw to does not exist or was already destroyed. This patch will
+likely just cause X11 errors elsewhere and drawing to (possible) invalid
+drawables is not supported by cairo anyway. This means that if SHM fails, the
+following fallback code has a high chance of failing, too.
+
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=91967
+Signed-off-by: Uli Schlachter <psychon@znc.in>
+---
+ src/cairo-xlib-surface.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c
+index 3f407c3..555c1fe 100644
+--- a/src/cairo-xlib-surface.c
++++ b/src/cairo-xlib-surface.c
+@@ -807,6 +807,7 @@ _get_image_surface (cairo_xlib_surface_t    *surface,
+ 	    }
+ 
+ 	    cairo_surface_destroy (&image->base);
++	    image = NULL;
+ 	}
+     }
+ 
+@@ -1011,7 +1012,8 @@ _get_image_surface (cairo_xlib_surface_t    *surface,
+     cairo_device_release (&display->base);
+ 
+     if (unlikely (status)) {
+-	cairo_surface_destroy (&image->base);
++	if (image)
++	    cairo_surface_destroy (&image->base);
+ 	return _cairo_surface_create_in_error (status);
+     }
+ 
+-- 
+2.8.1
+
+

cairo.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Sep  5 07:36:33 UTC 2016 - badshah400@gmail.com
+
+- Add cairo-xlib-double-free.patch to fix double free in
+  _get_image_surface(); patch taken from upstream git (fdo#91967,
+  boo#997189).
+
 -------------------------------------------------------------------
 Wed Jul 20 21:23:25 CEST 2016 - hpj@suse.com
 

cairo.spec

@@ -33,6 +33,8 @@ Patch0:         cairo-modules-no-version.patch
 Patch2:         cairo-xlib-endianness.patch
 # PATCH-FIX-UPSTREAM cairo-bsc958844-deadlock-on-scaled-font-cache-reset.patch fdo#93891 bsc#958844 hpj@suse.com -- Fix mutex deadlock on certain documents.
 Patch3:         cairo-bsc958844-deadlock-on-scaled-font-cache-reset.patch
+# PATCH-FIX-UPSTREAM cairo-xlib-double-free.patch fdo#91967 boo#997189 badshah400@gmail.com -- xlib: Fix double free in _get_image_surface(); patch taken from upstream git.
+Patch4:         cairo-xlib-double-free.patch
 BuildRequires:  gtk-doc
 # Needed by patch0
 BuildRequires:  libtool
@@ -143,6 +145,7 @@ cairo.
 %patch0 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 # Needed by patch0 and patch1