| Summary: |
NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558 |
| Product: |
cairo
|
Reporter: |
foca <foca> |
| Component: |
general | Assignee: |
Chris Wilson <chris> |
| Status: |
RESOLVED
MOVED
|
QA Contact: |
cairo-bugs mailing list <cairo-bugs> |
| Severity: |
normal
|
|
|
| Priority: |
medium
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Attachments: |
Proof of concept
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132097 [details] Proof of concept There is a NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558 in the function sweep_line_delete_edge: 543 sweep_line_delete_edge (sweep_line_t *sweep, edge_t *edge) 544 { 545 if (edge->right != NULL) { 546 edge_t *next = edge->next; 547 if (next->x == edge->x) { 548 next->top = edge->top; 549 next->right = edge->right; 550 } else 551 edge_end_box (sweep, edge, sweep->current_y); 552 } 553 554 if (sweep->cursor == edge) 555 sweep->cursor = edge->prev; 556 557 edge->prev->next = edge->next; 558 edge->next->prev = edge->prev; edge->next is 0 at line 558 so 0->prev is a NULL pointer dereference of 0x8 because ->prev is at +8 in edge struct, the segfault occurs at address 0x8. I don't know exactly why the ->next field is NULL, I guess a solution could be to check for this condition at the beginning of the function. This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)