<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Off by one reading out of bound in _jpeg_skip_segment"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101427">101427</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Off by one reading out of bound in _jpeg_skip_segment
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>image backend
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>There is an off by one vulnerability in cairo, reading the jpeg headers of an
image surface.

The vulnerability is at cairo-image-info.c:76:

 70 static const unsigned char *
 71 _jpeg_skip_segment (const unsigned char *p)
 72 {
 73     int len;
 74 
 75     p++;
 76     len = (p[0] << 8) | p[1];
 77 
 78     return p + len;
 79 }

The off by one happens while reading the variable p[1].

This function is called from line cairo-image-info.c:143:

139 
140             if (p + 2 > data + length)
141                 return CAIRO_INT_STATUS_UNSUPPORTED;
142 
143             p = _jpeg_skip_segment (p);
144             break;
145         }

The check here should be >= instead of >:
140             if (p + 2 >= data + length)

Since in _jpeg_skip_segment 3 bytes are consumed (1 skipped and 2 read).

If an attacker could control p[1] then he could control how many bytes are
skipped reading the jpeg segment. It doesn't look this vulnerability has
security implications since the function _cairo_image_info_get_jpeg_info is
validating that the pointer is inside the bounds.</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>