This was found through a coverity scan of the firefox source code. The sample URL points to the relevant code in git. At line 246 a |cairo_clip_path_t| object is allocated and stored in clip_path. At lines 250-252, the function returns without freeing this memory if |_cairo_path_fixed_init_copy| fails.
This is now fixed in cairo 1.1.1 and 1.0.3. -Carl diff-tree 79075b2cb1ce1397506fc10572df96f6fd00ecc3 (from fc51a78a1ed5f7649ce55ab30fc42939a9b295d1) Author: Carl Worth <cworth@cworth.org> Date: Mon Mar 13 12:20:23 2006 -0800 cairo-clip: Fix memory leak during OOM handling. This closes bug #6196: Memory leak in _cairo_clip_intersect_path (src/cairo-clip.c) https://bugs.freedesktop.org/show_bug.cgi?id=6196 diff --git a/src/cairo-clip.c b/src/cairo-clip.c index c76ebdc..0c862a3 100644 --- a/src/cairo-clip.c +++ b/src/cairo-clip.c @@ -248,8 +248,10 @@ _cairo_clip_intersect_path (cairo_clip_t return CAIRO_STATUS_NO_MEMORY; status = _cairo_path_fixed_init_copy (&clip_path->path, path); - if (status) + if (status) { + free (clip_path); return status; + } clip_path->ref_count = 1; clip_path->fill_rule = fill_rule;
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.