[cairo-bugs] [Bug 98165] DoS attack based on using SVG to generate invalid pointers from a _cairo_image_surface in write_png

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Oct 13 14:54:46 UTC 2016


--- Comment #5 from John Bowler <jbowler at acm.org> ---
If cairo does support bottom-up surfaces, as are typically used in engineering
analysis (where 'z' comes out of the page) then that is the correct solution. 
Indeed, the change made to write_png (the cast to (size_t)) does not work
because the surface is not made inside cairo-png.c (as in read_png).

Internally libpng uses ptrdiff_t because the libpng "simplified API" accepts an
image buffer with a negative stride; stride is 31-bit signed in the API but the
local variables initialized using it are ptrdiff_t.

With hindsight it would have been better to use ptrdiff_t in the API, but the
CVEs only started rolling in after the API had been in use for a while.

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20161013/f0d21497/attachment.html>

More information about the cairo-bugs mailing list