[cairo-bugs] [Bug 75819] New: _cairo_clip_set_all_clipped returns const value as non-const, caller modifies it -> crash on some platforms
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Mar 5 19:32:46 PST 2014
https://bugs.freedesktop.org/show_bug.cgi?id=75819
Priority: medium
Bug ID: 75819
Assignee: chris at chris-wilson.co.uk
Summary: _cairo_clip_set_all_clipped returns const value as
non-const, caller modifies it -> crash on some
platforms
QA Contact: cairo-bugs at cairographics.org
Severity: normal
Classification: Unclassified
OS: All
Reporter: andrew-freedesktop at gizmolabs.org
Hardware: All
Status: NEW
Version: unspecified
Component: general
Product: cairo
This bug was originally filed as part of poppler, but it seems to be a cairo
issue: https://bugs.freedesktop.org/show_bug.cgi?id=74661
Here are the relevant code snippets:
>>>> cairo-clip.c: (on some platforms, this will be allocated to a read-only page of memory)
const cairo_clip_t __cairo_clip_all;
>>>> cairo-clip-inline.h: (returning __cairo_clip_all as non-const! uh oh...)
static inline cairo_clip_t *
_cairo_clip_set_all_clipped (cairo_clip_t *clip)
{
_cairo_clip_destroy (clip);
return (cairo_clip_t *) &__cairo_clip_all;
}
>>>> cairo-clip-boxes.c: (mutate __cairo_clip_all -> CRASH!)
static cairo_clip_t *
_cairo_clip_intersect_rectangle_box (cairo_clip_t *clip,
const cairo_rectangle_int_t *r,
const cairo_box_t *box)
{
...
clip = _cairo_clip_set_all_clipped (clip);
...
clip->is_region = _cairo_box_is_pixel_aligned (box);
^^^^^^^^^^^^^^^ bad write
...
}
I'm not a cairo expert by any stretch of the imagination, so I don't know the
solution here. My gut reaction is to make the memory non-const so that it
doesn't crash; that should at least work as well as systems where this doesn't
crash. Still, it seems like someone who knows this code could see if there's a
better solution.
Thanks,
-andrew
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20140306/3c288dfb/attachment.html>
More information about the cairo-bugs
mailing list