<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - Image compositor can pass invalid coordinates to pixman_fill()" href="https://bugs.freedesktop.org/show_bug.cgi?id=90120">90120</a> </td> </tr> <tr> <th>Summary</th> <td>Image compositor can pass invalid coordinates to pixman_fill() </td> </tr> <tr> <th>Product</th> <td>cairo </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Assignee</th> <td>chris@chris-wilson.co.uk </td> </tr> <tr> <th>Reporter</th> <td>federico@gnome.org </td> </tr> <tr> <th>QA Contact</th> <td>cairo-bugs@cairographics.org </td> </tr></table> <p> <div> <pre>See <a href="https://bugzilla.gnome.org/show_bug.cgi?id=744391">https://bugzilla.gnome.org/show_bug.cgi?id=744391</a> for where this comes from. Summary: librsvg gets an SVG generated through fuzz-testing, and passes big coordinates that give problems to Cairo. In turn, Cairo ends up passing invalid coordinates to pixman_fill(), which does an out-of-bounds write. Pixman doesn't validate the arguments passed to pixman_fill(). Given that Cairo's problems with big coordinates and fixed-point overflow are Hard To Fix(tm), we can make Cairo at least responsible for not passing invalid coordinates to pixman's low-level machinery. The attached patch takes care of the call to pixman_fill() from this particular code path. I haven't gotten reports of other invalid calls to pixman_fill() from Cairo/librsvg.</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> </ul> </body> </html>