Commit d24a127

committed

double-free via g_object_unref that could crash

1 parent 2f9de7c commit d24a127Copy full SHA for d24a127

File tree

+12

-9

lines changed

+12

-9

lines changed

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,9 @@ project adheres to [Semantic Versioning](http://semver.org/).`
`9`	`9`	`==================`
`10`	`10`	`### Changed`
`11`	`11`	`### Added`
	`12`	`+`
`12`	`13`	`### Fixed`
	`14`	`+* Fix a crash when SVGs without width or height are loaded (#2486)`
`13`	`15`
`14`	`16`	`3.1.0`
`15`	`17`	`==================`

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1470,8 +1470,6 @@ cairo_status_t`
`1470`	`1470`	`Image::loadSVGFromBuffer(uint8_t *buf, unsigned len) {`
`1471`	`1471`	`_is_svg = true;`
`1472`	`1472`
`1473`		`- cairo_status_t status;`
`1474`		`-`
`1475`	`1473`	`if (NULL == (_rsvg = rsvg_handle_new_from_data(buf, len, nullptr))) {`
`1476`	`1474`	`return CAIRO_STATUS_READ_ERROR;`
`1477`	`1475`	`}`
`@@ -1484,13 +1482,7 @@ Image::loadSVGFromBuffer(uint8_t *buf, unsigned len) {`
`1484`	`1482`	`width = naturalWidth = d_width;`
`1485`	`1483`	`height = naturalHeight = d_height;`
`1486`	`1484`
`1487`		`- status = renderSVGToSurface();`
`1488`		`- if (status != CAIRO_STATUS_SUCCESS) {`
`1489`		`- g_object_unref(_rsvg);`
`1490`		`- return status;`
`1491`		`- }`
`1492`		`-`
`1493`		`- return CAIRO_STATUS_SUCCESS;`
	`1485`	`+ return renderSVGToSurface();`
`1494`	`1486`	`}`
`1495`	`1487`
`1496`	`1488`	`/*`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2513,4 +2513,13 @@ describe('Canvas', function () {`
`2513`	`2513`	`assert.throws(() => { ctx.beginTag('Link', {}) })`
`2514`	`2514`	`})`
`2515`	`2515`	`})`
	`2516`	`+`
	`2517`	`+ describe('loadImage', function () {`
	`2518`	`+ it('doesn\'t crash when you don\'t specify width and height', async function () {`
	`2519`	`+ await assert.rejects(async () => {`
	`2520`	+ const svg = `<svg xmlns="http://www.w3.org/2000/svg"><path d="M1,1"/></svg>`;
	`2521`	`+ await loadImage(Buffer.from(svg));`
	`2522`	`+ });`
	`2523`	`+ });`
	`2524`	`+ });`
`2516`	`2525`	`})`

Comments

(0)