[cairo-bugs] [Bug 89521] segmentation fault during poppler_page_render (crashes inside _fill_xrgb32_lerp_opaque_spans)

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Aug 22 00:24:40 UTC 2017


https://bugs.freedesktop.org/show_bug.cgi?id=89521

--- Comment #6 from Bryce Harrington <bryce at osg.samsung.com> ---
The backtrace you posted unfortunately is against a cairo built without
symbols, so it's not clear where the crash within Cairo happened.  What Ilia
might be referring to is that the fix is suitably defensive but doesn't address
why the value is negative in the first place.  So, the patch probably did
actually fix the crashing behavior, but there may also need to be some input
value checking added somewhere.

I've opted to squash the two patches and land them, as they're also adding
defensive programming checks.

I'll leave the bug open for now, if others wish to investigate why the invalid
inputs are entering Cairo.

commit 63f14d4a8f155ebaaca63b49e7bacca55d681af5
Author:     Doran Moppert <dmoppert at redhat.com>
AuthorDate: Mon Jul 25 11:00:21 2016 +0930
Commit:     Bryce Harrington <bryce at osg.samsung.com>
CommitDate: Mon Aug 21 17:08:47 2017 -0700

    image: Check for negative len in fill/blit functions

    Applies the same fix as 5c82d91 to other potential negative len cases.

    Reviewed-by: Bryce Harrington <bryce at osg.samsung.com>

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170822/404bfecb/attachment.html>


More information about the cairo-bugs mailing list