<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Out of bound access in struct pattern -> type"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=91266">91266</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Out of bound access in struct pattern -> type
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>ashim.shah@samsung.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Overview:
---------
Out of bound access


Description:
-----------

<a href="http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c">http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c</a>, At line:
1712

"print_array" is called with argument "p->type" and "pattern_names".

where 'pattern_names' length is 8 as below
static const char *pattern_names[] = {
    "native",
    "record",
    "other surface",
    "solid",
    "linear",
    "radial",
    "mesh",
    "raster"
};


At line:1587, 8th element will be accessed i.e. array[7] ( or p->type[7] ) as
in below.

    for (i = j = 0; i < count; i++) { //count is 8
==>    if (array[i] != 0) 
        order[j++] = i;
    }

'p' is struct in
<a href="http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h">http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h</a> as
below
struct pattern {
    unsigned int type[7]; /* native/record/other surface/gradients */
};

'type' is of length 7 and Hence accessing 8th element of 'p->type' as above
will result in out of bound access.


Expected:
--------
'type' array should be of length 8.
type[7] -> type[8]</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>