[cairo-bugs] [Bug 91266] New: Out of bound access in struct pattern -> type

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jul 8 04:15:09 PDT 2015


            Bug ID: 91266
           Summary: Out of bound access in struct pattern -> type
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: ashim.shah at samsung.com
        QA Contact: cairo-bugs at cairographics.org

Out of bound access


http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c, At line:

"print_array" is called with argument "p->type" and "pattern_names".

where 'pattern_names' length is 8 as below
static const char *pattern_names[] = {
    "other surface",

At line:1587, 8th element will be accessed i.e. array[7] ( or p->type[7] ) as
in below.

    for (i = j = 0; i < count; i++) { //count is 8
==>    if (array[i] != 0) 
        order[j++] = i;

'p' is struct in
http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h as
struct pattern {
    unsigned int type[7]; /* native/record/other surface/gradients */

'type' is of length 7 and Hence accessing 8th element of 'p->type' as above
will result in out of bound access.

'type' array should be of length 8.
type[7] -> type[8]

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20150708/d49f4bc6/attachment.html>

More information about the cairo-bugs mailing list