[cairo-bugs] [Bug 82431] CVE-2014-5116: large string null pointer dereference in cairo_image_surface_get_data
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Aug 13 00:51:51 PDT 2014
https://bugs.freedesktop.org/show_bug.cgi?id=82431
Uli Schlachter <psychon at znc.in> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |INVALID
--- Comment #5 from Uli Schlachter <psychon at znc.in> ---
Those references are "wireshark crashes if I do $THIS" (which I cannot
reproduce), "the stack trace points at cairo, so this must be a bug in cairo"
(which is just wrong) and you said "wireshark somehow worked around this", but
apparently can't say how.
So those references can be summarized as "there is a bug. Somewhere.".
To explain why "the stack trace points at cairo, so this must be a bug in
cairo" is just wrong, here is the code for cairo_image_surface_get_data(). Good
luck spotting anything that depends on how much text someone enters into
wireshark.
unsigned char *
cairo_image_surface_get_data (cairo_surface_t *surface)
{
cairo_image_surface_t *image_surface = (cairo_image_surface_t *) surface;
if (! _cairo_surface_is_image (surface)) {
_cairo_error_throw (CAIRO_STATUS_SURFACE_TYPE_MISMATCH);
return NULL;
}
return image_surface->data;
}
static inline cairo_bool_t
_cairo_surface_is_image (const cairo_surface_t *surface)
{
return surface->backend && surface->backend->type ==
CAIRO_SURFACE_TYPE_IMAGE;
}
NULL pointer dereference in there means that the called passed in NULL, so the
caller is wrong. I would suggest getting rid of that CVE (likely impossible)
and reporting this to gtk+, since this being their bug seems the most likely to
me. However, since apparently no one can reproduce this and wireshark devs are
playing the finger-pointing-game, I would suggest forgetting about this.
Closing as INVALID. Feel free to reopen if there is some actually useful
information about how those seven lines of code are buggy if I enter too much
text somewhere.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20140813/b3aa0009/attachment.html>
More information about the cairo-bugs
mailing list