[cairo] [PATCH cairo v2 1/8] script-surface: Check for invalid ids (CID #1159557, 1159558)

Bryce Harrington bryce at bryceharrington.org
Wed Jun 13 00:35:31 UTC 2018


If the bitmap's min is non-zero, _bitmap_next_id() could break out of
its loop early, before initializing the prev variable.  prev would then
be dereferenced without a null ptr check.  This condition should never
occur in practice, so add an assert() to assure it doesn't.

Same issue is present in trace.c.

Coverity IDs: #1159557, #1159558

Signed-off-by: Bryce Harrington <bryce at bryceharrington.org>
---
 src/cairo-script-surface.c | 1 +
 util/cairo-trace/trace.c   | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index e715cae..7db7dc5 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -262,6 +262,7 @@ _bitmap_next_id (struct _bitmap *b,
 	prev = &b->next;
 	b = b->next;
     } while (b != NULL);
+    assert (prev != NULL);
 
     bb = _cairo_malloc (sizeof (struct _bitmap));
     if (unlikely (bb == NULL))
diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c
index 3c05613..87b2df4 100644
--- a/util/cairo-trace/trace.c
+++ b/util/cairo-trace/trace.c
@@ -299,8 +299,10 @@ _type_next_token (Type *t)
 	prev = &b->next;
 	b = b->next;
     }
+    assert (prev != NULL);
 
     bb = malloc (sizeof (struct _bitmap));
+
     *prev = bb;
     bb->next = b;
     bb->min = min;
-- 
2.7.4



More information about the cairo mailing list