[cairo] [PATCH cairo 1/3] script-surface: Check for invalid ids (CID #1159557, 1159558)
Bryce Harrington
bryce at bryceharrington.org
Sat Jun 9 05:34:25 UTC 2018
When the bitmap's min is non-zero, _bitmap_next_id() may break out of
its loop early, before initializing the prev variable. prev is then
dereferenced without a null ptr check.
Same issue is present in trace.c.
Coverity IDs: #1159557, #1159558
Signed-off-by: Bryce Harrington <bryce at bryceharrington.org>
---
src/cairo-script-surface.c | 3 ++-
util/cairo-trace/trace.c | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index e715cae..228d60e 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -267,7 +267,8 @@ _bitmap_next_id (struct _bitmap *b,
if (unlikely (bb == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
- *prev = bb;
+ if (prev != NULL)
+ *prev = bb;
bb->next = b;
bb->min = min;
bb->count = 1;
diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c
index 3c05613..269e876 100644
--- a/util/cairo-trace/trace.c
+++ b/util/cairo-trace/trace.c
@@ -301,7 +301,9 @@ _type_next_token (Type *t)
}
bb = malloc (sizeof (struct _bitmap));
- *prev = bb;
+
+ if (prev != NULL)
+ *prev = bb;
bb->next = b;
bb->min = min;
bb->count = 1;
--
2.7.4
More information about the cairo
mailing list