<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><span class="vcard"><a class="email" href="mailto:psychon@znc.in" title="Uli Schlachter <psychon@znc.in>"> <span class="fn">Uli Schlachter</span></a>
</span> changed
              <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - CVE-2014-5116: large string null pointer dereference in cairo_image_surface_get_data"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=82431">bug 82431</a>
        <br>
             <table border="1" cellspacing="0" cellpadding="8">
          <tr>
            <th>What</th>
            <th>Removed</th>
            <th>Added</th>
          </tr>

         <tr>
           <td style="text-align:right;">Status</td>
           <td>NEEDINFO
           </td>
           <td>RESOLVED
           </td>
         </tr>

         <tr>
           <td style="text-align:right;">Resolution</td>
           <td>---
           </td>
           <td>INVALID
           </td>
         </tr></table>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - CVE-2014-5116: large string null pointer dereference in cairo_image_surface_get_data"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=82431#c5">Comment # 5</a>
              on <a class="bz_bug_link 
          bz_status_RESOLVED  bz_closed"
   title="RESOLVED INVALID - CVE-2014-5116: large string null pointer dereference in cairo_image_surface_get_data"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=82431">bug 82431</a>
              from <span class="vcard"><a class="email" href="mailto:psychon@znc.in" title="Uli Schlachter <psychon@znc.in>"> <span class="fn">Uli Schlachter</span></a>
</span></b>
        <pre>Those references are "wireshark crashes if I do $THIS" (which I cannot
reproduce), "the stack trace points at cairo, so this must be a bug in cairo"
(which is just wrong) and you said "wireshark somehow worked around this", but
apparently can't say how.

So those references can be summarized as "there is a bug. Somewhere.".

To explain why "the stack trace points at cairo, so this must be a bug in
cairo" is just wrong, here is the code for cairo_image_surface_get_data(). Good
luck spotting anything that depends on how much text someone enters into
wireshark.

unsigned char *
cairo_image_surface_get_data (cairo_surface_t *surface)
{
    cairo_image_surface_t *image_surface = (cairo_image_surface_t *) surface;

    if (! _cairo_surface_is_image (surface)) {
    _cairo_error_throw (CAIRO_STATUS_SURFACE_TYPE_MISMATCH);
    return NULL;
    }

    return image_surface->data;
}

static inline cairo_bool_t
_cairo_surface_is_image (const cairo_surface_t *surface)
{
    return surface->backend && surface->backend->type ==
CAIRO_SURFACE_TYPE_IMAGE;
}

NULL pointer dereference in there means that the called passed in NULL, so the
caller is wrong. I would suggest getting rid of that CVE (likely impossible)
and reporting this to gtk+, since this being their bug seems the most likely to
me. However, since apparently no one can reproduce this and wireshark devs are
playing the finger-pointing-game, I would suggest forgetting about this.

Closing as INVALID. Feel free to reopen if there is some actually useful
information about how those seven lines of code are buggy if I enter too much
text somewhere.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>