[cairo-bugs] [Bug 91266] New: Out of bound access in struct pattern -> type

Wed Jul 8 04:15:09 PDT 2015

https://bugs.freedesktop.org/show_bug.cgi?id=91266

            Bug ID: 91266
           Summary: Out of bound access in struct pattern -> type
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: ashim.shah at samsung.com
        QA Contact: cairo-bugs at cairographics.org

Overview:
---------
Out of bound access

Description:
-----------

http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c, At line:
1712

"print_array" is called with argument "p->type" and "pattern_names".

where 'pattern_names' length is 8 as below
static const char *pattern_names[] = {
    "native",
    "record",
    "other surface",
    "solid",
    "linear",
    "radial",
    "mesh",
    "raster"
};

At line:1587, 8th element will be accessed i.e. array[7] ( or p->type[7] ) as
in below.

    for (i = j = 0; i < count; i++) { //count is 8
==>    if (array[i] != 0) 
        order[j++] = i;
    }

'p' is struct in
http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h as
below
struct pattern {
    unsigned int type[7]; /* native/record/other surface/gradients */
};

'type' is of length 7 and Hence accessing 8th element of 'p->type' as above
will result in out of bound access.

Expected:
--------
'type' array should be of length 8.
type[7] -> type[8]

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20150708/d49f4bc6/attachment.html>