summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Clasen <mclasen@redhat.com>2019-05-30 07:30:55 -0400
committerBehdad Esfahbod <behdad@behdad.org>2019-07-18 14:38:47 -0700
commitaa263f881fb158202f32a7e3a8c6351dbe3626b8 (patch)
tree6c5d58886104f0c84b7315ce04d5b0ee941265a5
parente4a79db0108be6a2b06dfce51a44bcbdead66ebd (diff)
Fix a thinko in composite_color_glyphs
We can't just move around the contents of the passed-in string, we need to make a copy. This was showing up as memory corruption in pango. See https://gitlab.gnome.org/GNOME/pango/issues/346
-rw-r--r--src/cairo-surface.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/cairo-surface.c b/src/cairo-surface.c
index c30f84087..e112b660a 100644
--- a/src/cairo-surface.c
+++ b/src/cairo-surface.c
@@ -2820,6 +2820,7 @@ _cairo_surface_show_text_glyphs (cairo_surface_t *surface,
const cairo_clip_t *clip)
{
cairo_int_status_t status;
+ char *utf8_copy = NULL;
TRACE ((stderr, "%s\n", __FUNCTION__));
if (unlikely (surface->status))
@@ -2847,6 +2848,10 @@ _cairo_surface_show_text_glyphs (cairo_surface_t *surface,
status = CAIRO_INT_STATUS_UNSUPPORTED;
if (_cairo_scaled_font_has_color_glyphs (scaled_font)) {
+ utf8_copy = malloc (sizeof (char) * utf8_len);
+ memcpy (utf8_copy, utf8, sizeof (char) * utf8_len);
+ utf8 = utf8_copy;
+
status = composite_color_glyphs (surface, op,
source,
(char *)utf8, &utf8_len,
@@ -2861,6 +2866,8 @@ _cairo_surface_show_text_glyphs (cairo_surface_t *surface,
if (num_glyphs == 0)
goto DONE;
}
+ else
+ utf8_copy = NULL;
/* The logic here is duplicated in _cairo_analysis_surface show_glyphs and
* show_text_glyphs. Keep in synch. */
@@ -2918,6 +2925,9 @@ DONE:
surface->serial++;
}
+ if (utf8_copy)
+ free (utf8_copy);
+
return _cairo_surface_set_error (surface, status);
}