<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101527">101527</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132097" name="attach_132097" title="Proof of concept">attachment 132097</a> <a href="attachment.cgi?id=132097&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558
in the function sweep_line_delete_edge:

543     sweep_line_delete_edge (sweep_line_t *sweep, edge_t *edge)
544     {
545         if (edge->right != NULL) {
546             edge_t *next = edge->next;
547             if (next->x == edge->x) {
548                 next->top = edge->top;
549                 next->right = edge->right;
550             } else
551                 edge_end_box (sweep, edge, sweep->current_y);
552         }
553     
554         if (sweep->cursor == edge)
555             sweep->cursor = edge->prev;
556     
557         edge->prev->next = edge->next;
558         edge->next->prev = edge->prev;

edge->next is 0 at line 558 so 0->prev is a NULL pointer dereference of 0x8
because ->prev is at +8 in edge struct, the segfault occurs at address 0x8.

I don't know exactly why the ->next field is NULL, I guess a solution could be
to check for this condition at the beginning of the function.

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>