[cairo-bugs] [Bug 58061] New: Null pointer dereference in cairo_image_get_surface_data()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Sun Dec 9 12:56:29 PST 2012 

https://bugs.freedesktop.org/show_bug.cgi?id=58061

          Priority: medium
            Bug ID: 58061
          Assignee: chris at chris-wilson.co.uk
           Summary: Null pointer dereference in
                    cairo_image_get_surface_data()
        QA Contact: cairo-bugs at cairographics.org
          Severity: normal
    Classification: Unclassified
                OS: Windows (All)
          Reporter: mov_ebpesp at yahoo.com
          Hardware: All
            Status: NEW
           Version: 1.12.8
         Component: general
           Product: cairo

Created attachment 71241
  --> https://bugs.freedesktop.org/attachment.cgi?id=71241&action=edit
Detailed information of the crash.

Bug found while running gnucash 2.4.11 on windows (cross bug from gnucash
https://bugzilla.gnome.org/show_bug.cgi?id=689942).

Facts
-----

Every now and then (once per 1-3 h) gnucash seems to crash. This can happen
after a save, or updating a transaction or even leaving the computer alone for
a while - when I come back it's crashed.

The crash is a null pointer exception inside
libcairo.cairo_image_get_surface_data where a comparison check is done against
0.

68DE04E1  |.  8138 20AEE968 CMP DWORD PTR DS:[EAX],libcairo.68E9AE20

libcairo.68E9AE20 is just 00 00 00 00

This bug can be fixed by first checking EAX for 0 and then checking the pointer
pointed to by EAX if it's 0.

See attached "crash.txt" for more details.

Proposed fix (credits to John Ralls from gnucash team)
------------------------------------------------------

The actual patch is:
diff --git a/src/cairo-image-surface-inline.h
b/src/cairo-image-surface-inline.h
index 743d5fd..63e0c50 100644
--- a/src/cairo-image-surface-inline.h
+++ b/src/cairo-image-surface-inline.h
@@ -74,7 +74,7 @@ static inline cairo_bool_t
 _cairo_surface_is_image (const cairo_surface_t *surface)
 {
     /* _cairo_surface_nil sets a NULL backend so be safe */
-    return surface->backend && surface->backend->type ==
CAIRO_SURFACE_TYPE_IMA
+    return surface && surface->backend && surface->backend->type ==
CAIRO_SURFA
 }

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20121209/6457a6e1/attachment.html>

More information about the cairo-bugs mailing list