summaryrefslogtreecommitdiff
path: root/src/cairo-svg-surface.c
diff options
context:
space:
mode:
authorFeysh INC <opensource@feysh.com>2022-04-22 21:24:09 +0800
committerFeysh INC <opensource@feysh.com>2022-04-22 21:24:09 +0800
commitd7cb417e0edde2756ec9f19ca1eb99fd33133cd0 (patch)
tree7ff10c445cce0e696752e1fd20ac49ba8a02b82a /src/cairo-svg-surface.c
parenta934fa66dba2b880723f4e5c3fdea92cbe0207e7 (diff)
downloadcairo-d7cb417e0edde2756ec9f19ca1eb99fd33133cd0.tar.gz
Fix a use after free in _cairo_svg_surface_create_for_stream_internal
When `_cairo_svg_surface_create_for_document()` failed, it will free the `document` by `_cairo_svg_document_destroy()`. But after `_cairo_svg_surface_create_for_document` return a error status, the `document` is still used and destoryed by `_cairo_svg_document_destroy()`. We remove the redundant `_cairo_svg_document_destroy()` in `_cairo_svg_surface_create_for_stream_internal` to avoid this bug. This fixes #561. Signed-off-by: Feysh INC <opensource@feysh.com>
Diffstat (limited to 'src/cairo-svg-surface.c')
-rw-r--r--src/cairo-svg-surface.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/src/cairo-svg-surface.c b/src/cairo-svg-surface.c
index c6d9382b3..dfb72b2ad 100644
--- a/src/cairo-svg-surface.c
+++ b/src/cairo-svg-surface.c
@@ -1142,7 +1142,6 @@ _cairo_svg_surface_create_for_stream_internal (cairo_output_stream_t *stream,
surface = _cairo_svg_surface_create_for_document (document, CAIRO_CONTENT_COLOR_ALPHA,
width, height, TRUE);
if (surface->status) {
- status = _cairo_svg_document_destroy (document);
return surface;
}
View Lorry Controller Status