From 2cd42566524d3fdce4fc112ad7d72c95e4b860dd Mon Sep 17 00:00:00 2001
From: Matt Turner <mattst88@gmail.com>
Date: Wed, 1 Mar 2023 13:07:49 -0500
Subject: Open-code bbtree_del to avoid free()ing a non-allocated object

As we do already in _cairo_recording_surface_finish. Otherwise, the
cleanup path of _cairo_recording_surface_create_bbtree() could call
free() on surface->bbtree which is not dynamically allocated.

Closes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/645
---
 src/cairo-recording-surface.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cairo-recording-surface.c b/src/cairo-recording-surface.c
index 158ea16ba..2912f5ede 100644
--- a/src/cairo-recording-surface.c
+++ b/src/cairo-recording-surface.c
@@ -364,7 +364,10 @@ _cairo_recording_surface_create_bbtree (cairo_recording_surface_t *surface)
     return CAIRO_STATUS_SUCCESS;
 
 cleanup:
-    bbtree_del (&surface->bbtree);
+    if (surface->bbtree.left)
+	bbtree_del (surface->bbtree.left);
+    if (surface->bbtree.right)
+	bbtree_del (surface->bbtree.right);
     return status;
 }
 
-- 
cgit v1.2.1