[cairo-bugs] [Bug 104797] New: There is an out-of-bound write vulnerability in fill_boxes function.

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Jan 26 02:01:36 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=104797

            Bug ID: 104797
           Summary: There is an out-of-bound write vulnerability in
                    fill_boxes function.
           Product: cairo
           Version: 1.12.16
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: image backend
          Assignee: chris at chris-wilson.co.uk
          Reporter: yangx92 at hotmail.com
        QA Contact: cairo-bugs at cairographics.org

Hi,

There is at least an out-of-bound write vulnerability in Cairo project.

src/cairo-image-compositor.c
 330 static cairo_int_status_t
 331 fill_boxes (void                *_dst,
 332             cairo_operator_t     op,
 333             const cairo_color_t *color,
 334             cairo_boxes_t       *boxes)
 335 {
 336     cairo_image_surface_t *dst = _dst;
 337     struct _cairo_boxes_chunk *chunk;
 338     uint32_t pixel;
 339     int i;
 340 
 341     TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes));
 342 
 343     if (fill_reduces_to_source (op, color, dst, &pixel)) {
 344         for (chunk = &boxes->chunks; chunk; chunk = chunk->next) {
 345             for (i = 0; i < chunk->count; i++) {
 346                 int x = _cairo_fixed_integer_part (chunk->base[i].p1.x);
 347                 int y = _cairo_fixed_integer_part (chunk->base[i].p1.y);
 348                 int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) -
x;
 349                 int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) -
y;
 350                 pixman_fill ((uint32_t *) dst->data,
 351                              dst->stride / sizeof (uint32_t),
 352                              PIXMAN_FORMAT_BPP (dst->pixman_format),
 353                              x, y, w, h, pixel);
 354             }
 355         }
 356     }

As we can see from above code, x and y may be negative. 
(see https://bugzilla.mozilla.org/attachment.cgi?id=715614&action=diff) 

Below is the potential patch.
static cairo_int_status_t
fill_boxes (void                *_dst,
            cairo_operator_t     op,  
            const cairo_color_t *color,
            cairo_boxes_t       *boxes)
{
    cairo_image_surface_t *dst = _dst;
    struct _cairo_boxes_chunk *chunk;
    uint32_t pixel;
    int i;

    TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes));

    if (fill_reduces_to_source (op, color, dst, &pixel)) {
        for (chunk = &boxes->chunks; chunk; chunk = chunk->next) {
            for (i = 0; i < chunk->count; i++) {
                int x = _cairo_fixed_integer_part (chunk->base[i].p1.x);
                int y = _cairo_fixed_integer_part (chunk->base[i].p1.y);

+               x = (x < 0 ? 0 : x);
+               y = (y < 0 ? 0 : y);

                int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) - x; 
                int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) - y; 
                pixman_fill ((uint32_t *) dst->data,
                             dst->stride / sizeof (uint32_t),
                             PIXMAN_FORMAT_BPP (dst->pixman_format),
                             x, y, w, h, pixel);
            }    
        }    
    } 

At the same time, code that calls _cairo_fixed_integer_part function should add
same  check.

There are many functions, such as draw_image_boxes, composite_boxes and so on.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cairographics.org/archives/cairo-bugs/attachments/20180126/4388854c/attachment.html>

More information about the cairo-bugs mailing list