From 6ded645bafa0a28c453bfe22fde4bfdef4c83445 Mon Sep 17 00:00:00 2001 From: OwenSanzas Date: Thu, 5 Mar 2026 20:37:40 +0000 Subject: [PATCH] =?UTF-8?q?cairo:=20fix=20raster=5Ffuzzer=20=E2=80=94=20re?= =?UTF-8?q?move=20PDF=20API=20calls=20that=20prevent=20acquire=20callback?= =?UTF-8?q?=20from=20firing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit cairo_pdf_surface_set_page_label() and cairo_pdf_surface_set_metadata() are PDF-surface-specific APIs. When called on the image surface created by cairo_image_surface_create_from_png(), _extract_pdf_surface() sets the surface status to CAIRO_STATUS_SURFACE_TYPE_MISMATCH. This contaminated error state causes cairo_paint() to short-circuit, so the raster source acquire callback is never invoked — the fuzzer's entire testing target (raster source pattern) is dead code. Removing these two calls and the unnecessary #include allows cairo_paint() to proceed normally, triggering the acquire/release callbacks as intended. --- projects/cairo/targets/raster_fuzzer.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/projects/cairo/targets/raster_fuzzer.c b/projects/cairo/targets/raster_fuzzer.c index e7f9bc19923d..e4fff9a38945 100644 --- a/projects/cairo/targets/raster_fuzzer.c +++ b/projects/cairo/targets/raster_fuzzer.c @@ -13,7 +13,6 @@ // limitations under the License. #include -#include #include "fuzzer_temp_file.h" static cairo_surface_t * @@ -58,8 +57,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { pattern = cairo_pattern_create_raster_source(buf, content, w, h); cairo_raster_source_pattern_set_acquire (pattern, acquire, release); cairo_set_source(cr, pattern); - cairo_pdf_surface_set_page_label(surface, buf); - cairo_pdf_surface_set_metadata(surface, CAIRO_PDF_METADATA_KEYWORDS, buf); cairo_paint(cr); cairo_destroy(cr);