<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - cairo-script-interpreter API changes"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=65626">65626</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>cairo-script-interpreter API changes
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>dmacks@netspace.org
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>1.12.14
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Going from cairo-1.12.8 to 1.12.10, cairo-script-interpreter.h was changed (via
146da77d85b304651949a819bc8b0a74819f0416) to add a new member to struct
cairo_script_interpreter_hooks. As far as I can tell, callers create variables
of this type themselves (via malloc or simple variable declarations) and access
its members before passing it to cairo_script_interpreter_install_hooks() in
libcairo. That means code that was compiled with the "old" typedef (that did
not have the new member) would be passing a pointer to a chunk of memory that
does not include allocated storage for that new member. But then "new" libcairo
tries to read the new member's value, meaning it's accessing memory that isn't
intended to be allocated to that struct. I don't know much about libcairo's
internals, but I don't see any protection or struct versioning that would
prevent this from happening, with undefined results.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>