Inkscape

RESOURCE_LEAK in /inkbugs/inkscape/src/display/nr-filter-slot.cpp

Bug #613731 reported by Vaughn Spurlin on 2010-08-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Inkscape	Fix Released	Medium	Unassigned	Inkscape 0.91 "0.91"

Bug Description

In Inkscape::Filters::FilterSlot…::set(...):
Leak of memory or pointers to system resources (CWE-404).

  194 if (slot_nr == NR_FILTER_SOURCEGRAPHIC || slot_nr == NR_FILTER_BACKGROUNDIMAGE) {
  195 Geom::Matrix trans = units.get_matrix_display2pb();
  196 if (fabs(trans[1]) > 1e-6 || fabs(trans[2]) > 1e-6) {
Calling allocation function "operator new(unsigned int)".
Assigning: "trans_pb" = storage returned from "new NRPixBlock".
  197 NRPixBlock *trans_pb = new NRPixBlock;
  198 int x0 = pb->area.x0;
  199 int y0 = pb->area.y0;
  200 int x1 = pb->area.x1;
  201 int y1 = pb->area.y1;
  202 int min_x = _min4(trans[0] * x0 + trans[2] * y0 + trans[4],
  203 trans[0] * x0 + trans[2] * y1 + trans[4],
  204 trans[0] * x1 + trans[2] * y0 + trans[4],
  205 trans[0] * x1 + trans[2] * y1 + trans[4]);
  206 int max_x = _max4(trans[0] * x0 + trans[2] * y0 + trans[4],
  207 trans[0] * x0 + trans[2] * y1 + trans[4],
  208 trans[0] * x1 + trans[2] * y0 + trans[4],
  209 trans[0] * x1 + trans[2] * y1 + trans[4]);
  210 int min_y = _min4(trans[1] * x0 + trans[3] * y0 + trans[5],
  211 trans[1] * x0 + trans[3] * y1 + trans[5],
  212 trans[1] * x1 + trans[3] * y0 + trans[5],
  213 trans[1] * x1 + trans[3] * y1 + trans[5]);
  214 int max_y = _max4(trans[1] * x0 + trans[3] * y0 + trans[5],
  215 trans[1] * x0 + trans[3] * y1 + trans[5],
  216 trans[1] * x1 + trans[3] * y0 + trans[5],
  217 trans[1] * x1 + trans[3] * y1 + trans[5]);
  218
Variable "trans_pb" is not freed or pointed-to in function "nr_pixblock_setup_fast(NRPixBlock *, NR_PIXBLOCK_MODE, int, int, int, int, bool)". [show details]
  219 nr_pixblock_setup_fast(trans_pb, pb->mode,
  220 min_x, min_y,
  221 max_x, max_y, true);
At conditional (1): "trans_pb->size != 0" taking the true branch.
At conditional (2): "trans_pb->data.px == NULL" taking the true branch.
  222 if (trans_pb->size != NR_PIXBLOCK_SIZE_TINY && trans_pb->data.px == NULL) {
  223 /* TODO: this gets hit occasionally. Worst case scenario:
  224 * images are exported in horizontal stripes. One stripe
  225 * is not too high, but can get thousands of pixels wide.
  226 * Rotate this 45 degrees -> _huge_ image */
  227 g_warning("Memory allocation failed in Inkscape::Filters::FilterSlot::set (transform)");
Variable "trans_pb" going out of scope leaks the storage it points to.
  228 return;
  229 }
  230 if (filterquality == FILTER_QUALITY_BEST) {
  231 NR::transform_bicubic(trans_pb, pb, trans);
  232 } else {
  233 NR::transform_nearest(trans_pb, pb, trans);
  234 }
  235 nr_pixblock_release(pb);
  236 delete pb;
  237 pb = trans_pb;
  238 } else if (fabs(trans[0] - 1) > 1e-6 || fabs(trans[3] - 1) > 1e-6) {

Tags:

Revision history for this message

Vaughn Spurlin (vspurlin) wrote on 2010-08-05:

fix suggestion 2010-07-25:
227.1 delete trans_pb;

fix reason:
insert line to release trans_pb before return.

Revision history for this message

Jon A. Cruz (jon-joncruz) wrote on 2010-08-06:

We need to restructure the code to not have early return statements.

jazzynico (jazzynico) on 2010-11-18

Changed in inkscape:
status:	New → Triaged

Kris (kris-degussem) on 2012-01-01

tags:

added: performance

Revision history for this message

Kris (kris-degussem) wrote on 2012-09-09:

This bug was fixed in revision 10326 when merging the cairo branch.

Changed in inkscape:
status:	Triaged → Fix Committed
milestone:	none → 0.49

Bryce Harrington (bryce) on 2015-02-21

Changed in inkscape:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.