Bug 6176

Summary:	Null pointer dereference on OOM in _cairo_output_stream_create_for_file()
Product:	cairo	Reporter:	Ken Herron <kherron+cairo>
Component:	general	Assignee:	Carl Worth <cworth>
Status:	RESOLVED FIXED	QA Contact:	cairo-bugs mailing list <cairo-bugs>
Severity:	normal
Priority:	high
Version:	1.1.1
Hardware:	All
OS:	All
URL:	http://gitweb.freedesktop.org/?p=cairo;a=blob;h=a6db091989bcb24f8ee2de85a0ce741fe42cf6e1;hb=3333bba82d26a0b11961af3cb5c29c79a1a0d07b;f=src/cairo-output-stream.c#l307
Whiteboard:
i915 platform:		i915 features:

Description Ken Herron 2006-03-08 11:55:53 UTC

This was found through a coverity scan of the mozilla source; see
<http://scan.coverity.com/>.

See |_cairo_output_stream_create_for_file| in cairo-output-stream.c. If
|_cairo_output_stream_create| returns NULL, it's dereferenced following the
|fclose| call.

Comment 1 Carl Worth 2006-03-14 07:10:18 UTC

This is now fixed in cairo 1.1.1 and 1.0.3.

-Carl

diff-tree c780f4a5624f27a6cbf7829e10e8cd3544ae4f38 (from
92e09ee72fdde9059300b2b63d87e2bbd4286605)
Author: Carl Worth <cworth@cworth.org>
Date:   Mon Mar 13 12:05:13 2006 -0800

    cairo-output-stream: Don't dereference a NULL pointer due to OOM.

    This close bug #6176:

        Null pointer dereference on OOM in _cairo_output_stream_create_for_file()
        https://bugs.freedesktop.org/show_bug.cgi?id=6176

diff --git a/src/cairo-output-stream.c b/src/cairo-output-stream.c
index a6db091..b07423c 100644
--- a/src/cairo-output-stream.c
+++ b/src/cairo-output-stream.c
@@ -305,9 +305,11 @@ _cairo_output_stream_create_for_file (co
        return NULL;

     stream = _cairo_output_stream_create (stdio_write, fp);
-    if (stream == NULL)
+
+    if (stream)
+       stream->owns_closure_is_file = TRUE;
+    else
        fclose (fp);
-    stream->owns_closure_is_file = TRUE;

     return stream;
 }

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.