<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - NULL pointer dereference in cairo-polygon-intersect.c:1170"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101531">101531</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>NULL pointer dereference in cairo-polygon-intersect.c:1170
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>foca@salesforce.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=132102" name="attach_132102" title="Proof of concept">attachment 132102</a> <a href="attachment.cgi?id=132102&action=edit" title="Proof of concept">[details]</a></span>
Proof of concept

There is a NULL pointer dereference in cairo-polygon-intersect.c:1170 in
function active_edges:
1142    static inline void
1143    active_edges (cairo_bo_edge_t           *left,
1144                  int32_t                    top,
1145                  cairo_polygon_t           *polygon)
1146    {
...
1150            /* Yes, this is naive. Consider this a placeholder. */
1151    
1152            while (left != NULL) {
1153                assert (is_zero (winding));
1154    
1155                do {
1156                    winding[left->a_or_b] += left->edge.dir;
1157                    if (! is_zero (winding))
1158                        break;
1159    
1160                    if unlikely ((left->deferred.other))
1161                        edges_end (left, top, polygon);
1162    
1163                    left = left->next;
1164                    if (! left)
1165                        return;
1166                } while (1);
1167    
1168                right = left->next;
1169                do {
1170                    if unlikely ((right->deferred.other))

left ->next is NULL in line 1168 so right is also set to NULL. When line 1170
is reached, the program tries to get deferred. Since right is 0, the program
tries to dereference 0x30 causing a segmentation fault.

This could be avoided with an extra check in 1169:
1169                if (right == NULL) return;

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To
reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali
(@Salbei_)</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>