[cairo] [PATCH cairo v2 1/8] script-surface: Check for invalid ids (CID #1159557, 1159558)
Bryce Harrington
bryce at bryceharrington.org
Wed Jun 13 00:35:31 UTC 2018
If the bitmap's min is non-zero, _bitmap_next_id() could break out of
its loop early, before initializing the prev variable. prev would then
be dereferenced without a null ptr check. This condition should never
occur in practice, so add an assert() to assure it doesn't.
Same issue is present in trace.c.
Coverity IDs: #1159557, #1159558
Signed-off-by: Bryce Harrington <bryce at bryceharrington.org>
---
src/cairo-script-surface.c | 1 +
util/cairo-trace/trace.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index e715cae..7db7dc5 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -262,6 +262,7 @@ _bitmap_next_id (struct _bitmap *b,
prev = &b->next;
b = b->next;
} while (b != NULL);
+ assert (prev != NULL);
bb = _cairo_malloc (sizeof (struct _bitmap));
if (unlikely (bb == NULL))
diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c
index 3c05613..87b2df4 100644
--- a/util/cairo-trace/trace.c
+++ b/util/cairo-trace/trace.c
@@ -299,8 +299,10 @@ _type_next_token (Type *t)
prev = &b->next;
b = b->next;
}
+ assert (prev != NULL);
bb = malloc (sizeof (struct _bitmap));
+
*prev = bb;
bb->next = b;
bb->min = min;
--
2.7.4
More information about the cairo
mailing list