<html>
<head>
<base href="https://bugs.freedesktop.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - There is an out-of-bound write vulnerability in fill_boxes function."
href="https://bugs.freedesktop.org/show_bug.cgi?id=104797">104797</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>There is an out-of-bound write vulnerability in fill_boxes function.
</td>
</tr>
<tr>
<th>Product</th>
<td>cairo
</td>
</tr>
<tr>
<th>Version</th>
<td>1.12.16
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Component</th>
<td>image backend
</td>
</tr>
<tr>
<th>Assignee</th>
<td>chris@chris-wilson.co.uk
</td>
</tr>
<tr>
<th>Reporter</th>
<td>yangx92@hotmail.com
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>cairo-bugs@cairographics.org
</td>
</tr></table>
<p>
<div>
<pre>Hi,
There is at least an out-of-bound write vulnerability in Cairo project.
src/cairo-image-compositor.c
330 static cairo_int_status_t
331 fill_boxes (void *_dst,
332 cairo_operator_t op,
333 const cairo_color_t *color,
334 cairo_boxes_t *boxes)
335 {
336 cairo_image_surface_t *dst = _dst;
337 struct _cairo_boxes_chunk *chunk;
338 uint32_t pixel;
339 int i;
340
341 TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes));
342
343 if (fill_reduces_to_source (op, color, dst, &pixel)) {
344 for (chunk = &boxes->chunks; chunk; chunk = chunk->next) {
345 for (i = 0; i < chunk->count; i++) {
346 int x = _cairo_fixed_integer_part (chunk->base[i].p1.x);
347 int y = _cairo_fixed_integer_part (chunk->base[i].p1.y);
348 int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) -
x;
349 int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) -
y;
350 pixman_fill ((uint32_t *) dst->data,
351 dst->stride / sizeof (uint32_t),
352 PIXMAN_FORMAT_BPP (dst->pixman_format),
353 x, y, w, h, pixel);
354 }
355 }
356 }
As we can see from above code, x and y may be negative.
(see <a href="https://bugzilla.mozilla.org/attachment.cgi?id=715614&action=diff">https://bugzilla.mozilla.org/attachment.cgi?id=715614&action=diff</a>)
Below is the potential patch.
static cairo_int_status_t
fill_boxes (void *_dst,
cairo_operator_t op,
const cairo_color_t *color,
cairo_boxes_t *boxes)
{
cairo_image_surface_t *dst = _dst;
struct _cairo_boxes_chunk *chunk;
uint32_t pixel;
int i;
TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes));
if (fill_reduces_to_source (op, color, dst, &pixel)) {
for (chunk = &boxes->chunks; chunk; chunk = chunk->next) {
for (i = 0; i < chunk->count; i++) {
int x = _cairo_fixed_integer_part (chunk->base[i].p1.x);
int y = _cairo_fixed_integer_part (chunk->base[i].p1.y);
+ x = (x < 0 ? 0 : x);
+ y = (y < 0 ? 0 : y);
int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) - x;
int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) - y;
pixman_fill ((uint32_t *) dst->data,
dst->stride / sizeof (uint32_t),
PIXMAN_FORMAT_BPP (dst->pixman_format),
x, y, w, h, pixel);
}
}
}
At the same time, code that calls _cairo_fixed_integer_part function should add
same check.
There are many functions, such as draw_image_boxes, composite_boxes and so on.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>