From 39f79c0cd95b8afe1c13e5986077da54715e26a7 Mon Sep 17 00:00:00 2001
From: John Lindgren <john@jlindgren.net>
Date: Sat, 12 Jul 2025 21:30:26 -0400
Subject: [PATCH] img: fix apparent double-free in img_svg_render() failure
 path

img_svg_render() calls g_object_unref() on the RsvgHandle in its
error path, but the handle is owned by the shared lab_img_data
struct and will be double-freed later by lab_img_destroy().

The double-free was introduced when img_svg_load() was split from
img_svg_render(). The g_object_unref() should have been removed from
img_svg_render() but was missed.

Fixes: 16dbdc64e58d66011bbf319b92de844dab0ca8d9
("ssd: rework titlebar button rendering")
---
 src/img/img-svg.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/img/img-svg.c b/src/img/img-svg.c
index b5bf8670..bf671dc4 100644
--- a/src/img/img-svg.c
+++ b/src/img/img-svg.c
@@ -65,6 +65,5 @@ img_svg_render(RsvgHandle *svg, int w, int h, double scale)
 error:
 	wlr_buffer_drop(&buffer->base);
 	cairo_destroy(cr);
-	g_object_unref(svg);
 	return NULL;
 }