[cairo-bugs] [Bug 82431] CVE-2014-5116: large string null pointer dereference in cairo_image_surface_get_data

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Aug 13 00:51:51 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=82431

Uli Schlachter <psychon at znc.in> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #5 from Uli Schlachter <psychon at znc.in> ---
Those references are "wireshark crashes if I do $THIS" (which I cannot
reproduce), "the stack trace points at cairo, so this must be a bug in cairo"
(which is just wrong) and you said "wireshark somehow worked around this", but
apparently can't say how.

So those references can be summarized as "there is a bug. Somewhere.".

To explain why "the stack trace points at cairo, so this must be a bug in
cairo" is just wrong, here is the code for cairo_image_surface_get_data(). Good
luck spotting anything that depends on how much text someone enters into
wireshark.

unsigned char *
cairo_image_surface_get_data (cairo_surface_t *surface)
{
    cairo_image_surface_t *image_surface = (cairo_image_surface_t *) surface;

    if (! _cairo_surface_is_image (surface)) {
    _cairo_error_throw (CAIRO_STATUS_SURFACE_TYPE_MISMATCH);
    return NULL;
    }

    return image_surface->data;
}

static inline cairo_bool_t
_cairo_surface_is_image (const cairo_surface_t *surface)
{
    return surface->backend && surface->backend->type ==
CAIRO_SURFACE_TYPE_IMAGE;
}

NULL pointer dereference in there means that the called passed in NULL, so the
caller is wrong. I would suggest getting rid of that CVE (likely impossible)
and reporting this to gtk+, since this being their bug seems the most likely to
me. However, since apparently no one can reproduce this and wireshark devs are
playing the finger-pointing-game, I would suggest forgetting about this.

Closing as INVALID. Feel free to reopen if there is some actually useful
information about how those seven lines of code are buggy if I enter too much
text somewhere.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20140813/b3aa0009/attachment.html>

More information about the cairo-bugs mailing list