RESOURCE_LEAK in /inkbugs/inkscape/src/display/nr-filter-slot.cpp

Bug #613731 reported by Vaughn Spurlin on 2010-08-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Medium
Unassigned

Bug Description

RESOURCE_LEAK in /inkbugs/inkscape/src/display/nr-filter-slot.cpp

In Inkscape::Filters::FilterSlot…::set(...):
Leak of memory or pointers to system resources (CWE-404).

  194 if (slot_nr == NR_FILTER_SOURCEGRAPHIC || slot_nr == NR_FILTER_BACKGROUNDIMAGE) {
  195 Geom::Matrix trans = units.get_matrix_display2pb();
  196 if (fabs(trans[1]) > 1e-6 || fabs(trans[2]) > 1e-6) {
Calling allocation function "operator new(unsigned int)".
Assigning: "trans_pb" = storage returned from "new NRPixBlock".
  197 NRPixBlock *trans_pb = new NRPixBlock;
  198 int x0 = pb->area.x0;
  199 int y0 = pb->area.y0;
  200 int x1 = pb->area.x1;
  201 int y1 = pb->area.y1;
  202 int min_x = _min4(trans[0] * x0 + trans[2] * y0 + trans[4],
  203 trans[0] * x0 + trans[2] * y1 + trans[4],
  204 trans[0] * x1 + trans[2] * y0 + trans[4],
  205 trans[0] * x1 + trans[2] * y1 + trans[4]);
  206 int max_x = _max4(trans[0] * x0 + trans[2] * y0 + trans[4],
  207 trans[0] * x0 + trans[2] * y1 + trans[4],
  208 trans[0] * x1 + trans[2] * y0 + trans[4],
  209 trans[0] * x1 + trans[2] * y1 + trans[4]);
  210 int min_y = _min4(trans[1] * x0 + trans[3] * y0 + trans[5],
  211 trans[1] * x0 + trans[3] * y1 + trans[5],
  212 trans[1] * x1 + trans[3] * y0 + trans[5],
  213 trans[1] * x1 + trans[3] * y1 + trans[5]);
  214 int max_y = _max4(trans[1] * x0 + trans[3] * y0 + trans[5],
  215 trans[1] * x0 + trans[3] * y1 + trans[5],
  216 trans[1] * x1 + trans[3] * y0 + trans[5],
  217 trans[1] * x1 + trans[3] * y1 + trans[5]);
  218
Variable "trans_pb" is not freed or pointed-to in function "nr_pixblock_setup_fast(NRPixBlock *, NR_PIXBLOCK_MODE, int, int, int, int, bool)". [show details]
  219 nr_pixblock_setup_fast(trans_pb, pb->mode,
  220 min_x, min_y,
  221 max_x, max_y, true);
At conditional (1): "trans_pb->size != 0" taking the true branch.
At conditional (2): "trans_pb->data.px == NULL" taking the true branch.
  222 if (trans_pb->size != NR_PIXBLOCK_SIZE_TINY && trans_pb->data.px == NULL) {
  223 /* TODO: this gets hit occasionally. Worst case scenario:
  224 * images are exported in horizontal stripes. One stripe
  225 * is not too high, but can get thousands of pixels wide.
  226 * Rotate this 45 degrees -> _huge_ image */
  227 g_warning("Memory allocation failed in Inkscape::Filters::FilterSlot::set (transform)");
Variable "trans_pb" going out of scope leaks the storage it points to.
  228 return;
  229 }
  230 if (filterquality == FILTER_QUALITY_BEST) {
  231 NR::transform_bicubic(trans_pb, pb, trans);
  232 } else {
  233 NR::transform_nearest(trans_pb, pb, trans);
  234 }
  235 nr_pixblock_release(pb);
  236 delete pb;
  237 pb = trans_pb;
  238 } else if (fabs(trans[0] - 1) > 1e-6 || fabs(trans[3] - 1) > 1e-6) {

Vaughn Spurlin (vspurlin) wrote :

fix suggestion 2010-07-25:
  227.1 delete trans_pb;

fix reason:
  insert line to release trans_pb before return.

Jon A. Cruz (jon-joncruz) wrote :

We need to restructure the code to not have early return statements.

jazzynico (jazzynico) on 2010-11-18
Changed in inkscape:
status: New → Triaged
Kris (kris-degussem) on 2012-01-01
tags: added: performance
Kris (kris-degussem) wrote :

This bug was fixed in revision 10326 when merging the cairo branch.

Changed in inkscape:
status: Triaged → Fix Committed
milestone: none → 0.49
Bryce Harrington (bryce) on 2015-02-21
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers