xlib-xcb: Fix a double free in surface_unmap

cairo_surface_unmap_image() destroys the image that was passed to it. Since
xlib-xcb calls cairo_surface_unmap_image() again for the underlying xcb surface,
the surface was destroyed twice.

Work around this problem by incrementing the image's reference count via
cairo_surface_reference().

No idea why I didn't catch this problem when implementing these functions, I'm
sure I ran the relevant tests. :-(

lt-cairo-test-suite: cairo-surface.c:853: cairo_surface_destroy: Assertion
`((*&(&surface->ref_count)->ref_count) > 0)' failed.

Fixes: map-to-image-fill map-bit-to-image map-all-to-image

Signed-off-by: Uli Schlachter <psychon@znc.in>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/cairo-xlib-xcb-surface.c b/src/cairo-xlib-xcb-surface.c
index aa7422324..6da44a1b1 100644
--- a/src/cairo-xlib-xcb-surface.c
+++ b/src/cairo-xlib-xcb-surface.c
@@ -134,6 +134,10 @@ _cairo_xlib_xcb_surface_unmap (void *abstract_surface,
 {
     cairo_xlib_xcb_surface_t *surface = abstract_surface;
 
+    /* cairo_surface_unmap_image destroys the surface, so get a new reference
+     * for it to destroy.
+     */
+    cairo_surface_reference (&image->base);
     cairo_surface_unmap_image (&surface->xcb->base, &image->base);
     return cairo_surface_status (&surface->xcb->base);
 }