From aba890ce7bfda3965737e1639817732ceaac9fed Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Fri, 26 Jan 2024 07:35:16 -0500 Subject: [PATCH] src/svgtiny_css.c: change lwc_string_destroy -> lwc_string_unref In the node_is_lang() callback, we're interning "lang" and later destroying it. But "lang" is already interned at that point (in libcss), so we are destroying a copy that doesn't belong to us. It should be unref'd instead. Valgrind detected the error. Thanks to Michael Drake for the pointer. --- src/svgtiny_css.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/svgtiny_css.c b/src/svgtiny_css.c index 495a39f..96991dd 100644 --- a/src/svgtiny_css.c +++ b/src/svgtiny_css.c @@ -1805,6 +1805,11 @@ static css_error node_is_lang(void *pw, void *node, css_qname attr; attr.ns = NULL; + /* The string "lang" is already interned in our + * css_select_ctx, but its members aren't visible to + * us. Trying to intern it again will get a reference to the + * existing string, so it's important that we unref (as + * opposed to destroy) it later. */ if (lwc_intern_string("lang", 4, &attr.name) != lwc_error_ok) { return CSS_NOMEM; } @@ -1818,12 +1823,12 @@ static css_error node_is_lang(void *pw, void *node, c_err = _node_has_attribute_substring(pw, (void *)n, &attr, lang, &match, true); if (c_err != CSS_OK) { - lwc_string_destroy(attr.name); + lwc_string_unref(attr.name); return c_err; } if (match) { /* matched this element; we're done */ - lwc_string_destroy(attr.name); + lwc_string_unref(attr.name); *is_lang = true; return CSS_OK; } @@ -1831,14 +1836,14 @@ static css_error node_is_lang(void *pw, void *node, /* no match on this element, try its parent */ d_err = dom_node_get_parent_node(n, &p); if (d_err != DOM_NO_ERR) { - lwc_string_destroy(attr.name); + lwc_string_unref(attr.name); return CSS_NOMEM; } n = p; } /* If we never find a match we may wind up here */ - lwc_string_destroy(attr.name); + lwc_string_unref(attr.name); return CSS_OK; } -- 2.44.2