From ed12df1099d2c9b524c48d989f30c7ce1a8b1459 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 1 Mar 2023 10:12:12 +0000 Subject: [PATCH] color-device: Don't close lcms profile on error from cd_icc_load_handle As implemented in colord 1.4.6, cd_icc_load_handle() has three possible results: 1. success, taking ownership of the profile; 2. failure because cmsGetProfileContextID returns NULL, *not* taking ownership of the profile; 3. failure in cd_icc_load(), taking ownership of the profile. The previous commit ensures that we are not in case 2. In case 3 where cd_icc_load() fails, ownership was already given to the colord CdIcc object, so it will be freed when the g_autoptr unrefs the CdIcc, and we must not free it again: that would be a double-free, potentially resulting in memory corruption. Resolves: https://gitlab.gnome.org/GNOME/mutter/-/issues/2659 Signed-off-by: Simon McVittie Part-of: --- src/backends/meta-color-device.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/backends/meta-color-device.c b/src/backends/meta-color-device.c index 5533a8ece..3032d34c2 100644 --- a/src/backends/meta-color-device.c +++ b/src/backends/meta-color-device.c @@ -889,12 +889,10 @@ create_icc_profile_from_edid (MetaColorDevice *color_device, cmsSetHeaderRenderingIntent (lcms_profile, INTENT_PERCEPTUAL); cmsSetDeviceClass (lcms_profile, cmsSigDisplayClass); - if (!cd_icc_load_handle (cd_icc, lcms_profile, + g_warn_if_fail (cmsGetProfileContextID (lcms_profile)); + if (!cd_icc_load_handle (cd_icc, g_steal_pointer (&lcms_profile), CD_ICC_LOAD_FLAGS_PRIMARIES, error)) - { - cmsCloseProfile (lcms_profile); - return NULL; - } + return NULL; cd_icc_add_metadata (cd_icc, CD_PROFILE_PROPERTY_FILENAME, file_path); cd_icc_add_metadata (cd_icc,