| Summary: |
Attempting free on address which was not malloc() in cairo-clip.c:137 |
| Product: |
cairo
|
Reporter: |
foca <foca> |
| Component: |
general | Assignee: |
Chris Wilson <chris> |
| Status: |
RESOLVED
MOVED
|
QA Contact: |
cairo-bugs mailing list <cairo-bugs> |
| Severity: |
normal
|
|
|
| Priority: |
medium
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
Other | |
|
| OS: |
All | |
|
| Whiteboard: |
|
|
i915 platform:
|
|
i915 features:
|
|
|---|
| Attachments: |
Proof of concept
|
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132101 [details] Proof of concept There is a bug attempting free on address which was not malloc() in cairo-clip.c:137: 127 void 128 _cairo_clip_destroy (cairo_clip_t *clip) 129 { 130 if (clip == NULL || _cairo_clip_is_all_clipped (clip)) 131 return; 132 133 if (clip->path != NULL) 134 _cairo_clip_path_destroy (clip->path); 135 136 if (clip->boxes != &clip->embedded_box) 137 free (clip->boxes); In some cases clip->boxes could be allocated but in the PoC is not allocated is assigned to clip->embedded_box a member of the same class at cairo-clip-boxes.c:165 149 static cairo_clip_t * 150 _cairo_clip_intersect_rectangle_box (cairo_clip_t *clip, 151 const cairo_rectangle_int_t *r, 152 const cairo_box_t *box) 153 { 154 cairo_box_t extents_box; 155 cairo_bool_t changed = FALSE; 156 int i, j; 157 158 if (clip == NULL) { 159 clip = _cairo_clip_create (); 160 if (clip == NULL) 161 return _cairo_clip_set_all_clipped (clip); 162 } 163 164 if (clip->num_boxes == 0) { 165 clip->boxes = &clip->embedded_box; There is already a check in _cairo_clip_destroy to avoid similar cases: 136 if (clip->boxes != &clip->embedded_box) But with the PoC the clip where the embedded_box is comming is different the the clip being destroyed. This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)