Cherry-pick https://gitlab.freedesktop.org/cairo/cairo/-/commit/48194cf093d6eadf1a64f45d76b1fe001f467a05 draft
authorJonathan Kew <jkew@mozilla.com>
Fri, 05 Feb 2021 15:06:35 +0000
changeset 3667293 e9a66ece00f85a97abc1a63215a9157e41e37939
parent 3667292 e5d139a704ab5440f5e3922af95a4f4269d8a52b
child 3667294 8044ee0cbfe079e17168b3dd62037ae0541086ab
push id683063
push userjkew@mozilla.com
push dateMon, 19 Apr 2021 13:15:26 +0000
treeherdertry@919daaf50d14 [default view] [failures only]
milestone89.0a1
Cherry-pick https://gitlab.freedesktop.org/cairo/cairo/-/commit/48194cf093d6eadf1a64f45d76b1fe001f467a05 Avoid use after free in cairo_fill
gfx/cairo/cairo/src/cairo-spans-compositor.c
--- a/gfx/cairo/cairo/src/cairo-spans-compositor.c
+++ b/gfx/cairo/cairo/src/cairo-spans-compositor.c
@@ -1123,27 +1123,27 @@ static cairo_int_status_t
 							      antialias,
 							      &boxes);
 	if (likely (status == CAIRO_INT_STATUS_SUCCESS))
 	    status = clip_and_composite_boxes (compositor, extents, &boxes);
 	_cairo_boxes_fini (&boxes);
     }
     if (status == CAIRO_INT_STATUS_UNSUPPORTED) {
 	cairo_polygon_t polygon;
+	cairo_box_t limits;
 
 	TRACE((stderr, "%s - polygon\n", __FUNCTION__));
 
 	if (! _cairo_rectangle_contains_rectangle (&extents->unbounded,
 						   &extents->mask))
 	{
 	    TRACE((stderr, "%s - clipping to bounds\n", __FUNCTION__));
 	    if (extents->clip->num_boxes == 1) {
 		_cairo_polygon_init (&polygon, extents->clip->boxes, 1);
 	    } else {
-		cairo_box_t limits;
 		_cairo_box_from_rectangle (&limits, &extents->unbounded);
 		_cairo_polygon_init (&polygon, &limits, 1);
 	    }
 	}
 	else
 	{
 	    _cairo_polygon_init (&polygon, NULL, 0);
 	}