[cairo-bugs] [Bug 101531] New: NULL pointer dereference in cairo-polygon-intersect.c:1170

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Tue Jun 20 21:26:11 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101531

            Bug ID: 101531
           Summary: NULL pointer dereference in
                    cairo-polygon-intersect.c:1170
           Product: cairo
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: foca at salesforce.com
        QA Contact: cairo-bugs at cairographics.org

Created attachment 132102
  --> https://bugs.freedesktop.org/attachment.cgi?id=132102&action=edit
Proof of concept

There is a NULL pointer dereference in cairo-polygon-intersect.c:1170 in
function active_edges:
1142    static inline void
1143    active_edges (cairo_bo_edge_t           *left,
1144                  int32_t                    top,
1145                  cairo_polygon_t           *polygon)
1146    {
...
1150            /* Yes, this is naive. Consider this a placeholder. */
1151    
1152            while (left != NULL) {
1153                assert (is_zero (winding));
1154    
1155                do {
1156                    winding[left->a_or_b] += left->edge.dir;
1157                    if (! is_zero (winding))
1158                        break;
1159    
1160                    if unlikely ((left->deferred.other))
1161                        edges_end (left, top, polygon);
1162    
1163                    left = left->next;
1164                    if (! left)
1165                        return;
1166                } while (1);
1167    
1168                right = left->next;
1169                do {
1170                    if unlikely ((right->deferred.other))

left ->next is NULL in line 1168 so right is also set to NULL. When line 1170
is reached, the program tries to get deferred. Since right is 0, the program
tries to dereference 0x30 causing a segmentation fault.

This could be avoided with an extra check in 1169:
1169                if (right == NULL) return;

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20170620/d2f842c9/attachment.html>

More information about the cairo-bugs mailing list