Drawing onto an unbounded recording surface, then painting from it onto an image surface, accesses uninitialized memory somewhere down in pixman. Assigning to image backend component out of ignorance.
Giving a bounding rectangle to cairo_recording_surface_create() does not have the issue.
I extracted this test case out of a much more complicated path that started returning CAIRO_STATUS_NO_MEMORY for modestly sized surfaces (whose dimensions ballooned somewhere between Cairo extents and the pixman composite code).
I've attached a testcase and an abbreviated valgrind log.
Created attachment 40305 [details]
testcase + valgrind log
Thanks for the bug report. Looks like the recording surface's acquire_source_image method trusts the surface extents without checking if it actually has extents or not. The uninitialised values valgrind trips over are the width/height of the surface extents.
I don't quite understand the interactions between surface snapshots and recording surfaces, so I can't propose a patch for this at the moment. Unfortunately there's no recording backend option for the component, so I'm reassigning to the general component for the time being.
Upping to critical as this is a potential crasher in otherwise legal code.
Do you mind if I put your test case under the MIT license and add it to the cairo test suite?
(In reply to comment #4)
> Do you mind if I put your test case under the MIT license and add it to the
> cairo test suite?
That's no problem at all.
The test doesn't crash here and valgrind has no complaints (besides the expecte "leaks").
Was this test ever added to cairo's test suite? Was the issue already fixed or am I just doing something wrong?
The recording surface acquire now checks for unbounded extents and errors out. These cases should be exercised by the record-* set of tests and so all the backends should ideally handle this without triggering any errors...
I think we have fixed the original error and have a few tests that exercise the unbounded recording surface case, so I think we can safely close this bug. Mike, thank you for the bug report and test case.