Bug 705722: Cleanup tile clipper device on error

If initialisation for tile filling fails, make sure to cleanup the tile
clipper device if it was setup. The reason being that clipper device forwards
drawing operations to a memory device, embedded in itself (i.e. not a separate
memory allocation just for the memory device).

This means if the clipper device (with its target set to that internal memory
device) persists until a gc run occurs, when the garbager attempts to reloc the
clipper's target pointer, it will access adjacent values in device structure,
not the memory manager header it expects. Thus it will reloc to a nonsensical
location, and ultimately, will crash.

1 files changed, 4 insertions, 2 deletions

diff --git a/base/gxp1fill.c b/base/gxp1fill.c
index 15b395da7..519e853cf 100644
--- a/base/gxp1fill.c
+++ b/base/gxp1fill.c
@@ -368,8 +368,9 @@ gx_dc_pattern_fill_rectangle(const gx_device_color * pdevc, int x, int y,
     bits = &ptile->tbits;
 
     code = tile_fill_init(&state, pdevc, dev, false);	/* This _may_ allocate state.cdev */
-    if (code < 0)
-        return code;
+    if (code < 0) {
+        goto exit;
+    }
     if (ptile->is_simple && ptile->cdev == NULL) {
         int px =
             imod(-(int)fastfloor(ptile->step_matrix.tx - state.phase.x + 0.5),
@@ -417,6 +418,7 @@ gx_dc_pattern_fill_rectangle(const gx_device_color * pdevc, int x, int y,
                                  &tbits, tile_pattern_clist);
         }
     }
+exit:
     if (CLIPDEV_INSTALLED) {
         tile_clip_free((gx_device_tile_clip *)state.cdev);
         state.cdev = NULL;