<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Attempting free on address which was not malloc() in cairo-clip.c:137"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101530">101530</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Attempting free on address which was not malloc() in cairo-clip.c:137
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132101" name="attach_132101" title="Proof of concept">attachment 132101</a> <a href="attachment.cgi?id=132101&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a bug attempting free on address which was not malloc() in
cairo-clip.c:137:
127     void
128     _cairo_clip_destroy (cairo_clip_t *clip)
129     {
130         if (clip == NULL || _cairo_clip_is_all_clipped (clip))
131             return;
132     
133         if (clip->path != NULL)
134             _cairo_clip_path_destroy (clip->path);
135     
136         if (clip->boxes != &clip->embedded_box)
137             free (clip->boxes);

In some cases clip->boxes could be allocated but in the PoC is not allocated is
assigned to clip->embedded_box a member of the same class at
cairo-clip-boxes.c:165
149     static cairo_clip_t *
150     _cairo_clip_intersect_rectangle_box (cairo_clip_t *clip,
151                                          const cairo_rectangle_int_t *r,
152                                          const cairo_box_t *box)
153     {
154         cairo_box_t extents_box;
155         cairo_bool_t changed = FALSE;
156         int i, j;
157     
158         if (clip == NULL) {
159             clip = _cairo_clip_create ();
160             if (clip == NULL)
161                 return _cairo_clip_set_all_clipped (clip);
162         }
163     
164         if (clip->num_boxes == 0) {
165             clip->boxes = &clip->embedded_box;

There is already a check in _cairo_clip_destroy to avoid similar cases:
136         if (clip->boxes != &clip->embedded_box)

But with the PoC the clip where the embedded_box is comming is different the
the clip being destroyed.

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>