Bug 101550

Summary: Infinite recursion at cairo-mesh-pattern-rasterizer.c:848
Product: cairo Reporter: foca <foca>
Component: generalAssignee: Chris Wilson <chris>
Status: RESOLVED MOVED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Proof of concept
Fix for the stack overflow

Description foca@salesforce.com 2017-06-21 22:13:39 UTC
Created attachment 132125 [details]
Proof of concept

Hi, 

There is an infinite recursion in pdftocairo parsing the attached PoC1.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.

The recursion happens at, cairo-mesh-pattern-rasterizer.c:848:
844		    subc[2][i] = 0.5 * (c[0][i] + c[2][i]);
845		    subc[3][i] = 0.5 * (c[1][i] + c[3][i]);
846		}
847	
848		draw_bezier_patch (data, width, height, stride, first, subc);
849	
850		for (i = 0; i < 4; ++i) {
851		    subc[0][i] = subc[2][i];
852		    subc[1][i] = subc[3][i];

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC1.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Albert Astals Cid 2017-06-21 22:39:33 UTC
Is this an actual cairo bug?
Comment 2 foca@salesforce.com 2017-06-21 22:43:44 UTC
Sorry, it's a bug in poppler while using the cairo backend.
Comment 3 Albert Astals Cid 2017-06-21 22:56:11 UTC
Come on, if i assign the bug to cairo because the recursion happens in cairo code, can you please not say "no no, you've no idea, the bug is in poppler" and change it back?

But ok, i'll ignore this bug and that's it.
Comment 4 foca@salesforce.com 2017-06-21 22:58:41 UTC
Sorry Albert, I didn't realize you changed the product, and I though you were suggesting this was a poppler bug instead of a cairo one.

My apologies.
Comment 5 Andrea Canciani 2017-06-22 09:00:52 UTC
Created attachment 132129 [details] [review]
Fix for the stack overflow

This patch would fix the stack overflow, but the pattern in the PoC pdf file would still take an enormous amount of time to rasterize, given the current approach used in cairo.

Backward rasterization could probably help handling such degenerate patterns more efficiently, but the peculiar ordering of the mesh layers makes their use nontrivial.

What is the best way forward? Is this patch sufficient?
Comment 6 Bryce Harrington 2017-07-10 17:18:03 UTC
Is there a practical user case for the pattern?  If not, the render time is probably irrelevant, would just need to avoid the stack overflow, right?
Comment 7 Bryce Harrington 2017-09-20 21:57:02 UTC
Would anyone have an objection if I went ahead and landed this patch?
Comment 8 GitLab Migration User 2018-08-25 13:36:51 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/97.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.