diff options
| author | Feysh INC <opensource@feysh.com> | 2022-04-22 17:09:47 +0800 |
|---|---|---|
| committer | Feysh INC <opensource@feysh.com> | 2022-04-22 17:09:47 +0800 |
| commit | fa8f456c2b7a061ca379a86931d5cc99b7edf42d (patch) | |
| tree | 27a6bedc26de1e3507aacc411adffee14b205c60 /src/cairo-scaled-font.c | |
| parent | 99cd4bb3bd51bc62a2c8b5f9f4b6eda7625f0b96 (diff) | |
| download | cairo-fa8f456c2b7a061ca379a86931d5cc99b7edf42d.tar.gz | |
Fix a use after free in cairo_scaled_font_create
When `font_face` is freed by `cairo_font_face_destroy()` at line 1,150,
the following call `_cairo_font_face_set_error (font_face, status)`
causes a use after free.
We moved up the `_cairo_font_face_set_error (font_face, status)` before
`cairo_font_face_destroy()` to avoid the use after free.
Signed-off-by: Feysh INC <opensource@feysh.com>
Diffstat (limited to 'src/cairo-scaled-font.c')
| -rwxr-xr-x | src/cairo-scaled-font.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-scaled-font.c b/src/cairo-scaled-font.c index 30611dca4..270f8ed34 100755 --- a/src/cairo-scaled-font.c +++ b/src/cairo-scaled-font.c @@ -1145,6 +1145,7 @@ cairo_scaled_font_create (cairo_font_face_t *font_face, ctm, options, &scaled_font); /* Did we leave the backend in an error state? */ if (unlikely (status)) { + status = _cairo_font_face_set_error (font_face, status); _cairo_scaled_font_map_unlock (); if (font_face != original_font_face) cairo_font_face_destroy (font_face); @@ -1152,7 +1153,6 @@ cairo_scaled_font_create (cairo_font_face_t *font_face, if (dead != NULL) cairo_scaled_font_destroy (dead); - status = _cairo_font_face_set_error (font_face, status); return _cairo_scaled_font_create_in_error (status); } /* Or did we encounter an error whilst constructing the scaled font? */ |