| Summary: | Infinite recursion at cairo-mesh-pattern-rasterizer.c:848 | ||
|---|---|---|---|
| Product: | cairo | Reporter: | foca <foca> |
| Component: | general | Assignee: | Chris Wilson <chris> |
| Status: | RESOLVED MOVED | QA Contact: | cairo-bugs mailing list <cairo-bugs> |
| Severity: | normal | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | Other | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
Proof of concept
Fix for the stack overflow |
||
Is this an actual cairo bug? Sorry, it's a bug in poppler while using the cairo backend. Come on, if i assign the bug to cairo because the recursion happens in cairo code, can you please not say "no no, you've no idea, the bug is in poppler" and change it back? But ok, i'll ignore this bug and that's it. Sorry Albert, I didn't realize you changed the product, and I though you were suggesting this was a poppler bug instead of a cairo one. My apologies. Created attachment 132129 [details] [review] Fix for the stack overflow This patch would fix the stack overflow, but the pattern in the PoC pdf file would still take an enormous amount of time to rasterize, given the current approach used in cairo. Backward rasterization could probably help handling such degenerate patterns more efficiently, but the peculiar ordering of the mesh layers makes their use nontrivial. What is the best way forward? Is this patch sufficient? Is there a practical user case for the pattern? If not, the render time is probably irrelevant, would just need to avoid the stack overflow, right? Would anyone have an objection if I went ahead and landed this patch? -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/97. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 132125 [details] Proof of concept Hi, There is an infinite recursion in pdftocairo parsing the attached PoC1.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes. The recursion happens at, cairo-mesh-pattern-rasterizer.c:848: 844 subc[2][i] = 0.5 * (c[0][i] + c[2][i]); 845 subc[3][i] = 0.5 * (c[1][i] + c[3][i]); 846 } 847 848 draw_bezier_patch (data, width, height, stride, first, subc); 849 850 for (i = 0; i < 4; ++i) { 851 subc[0][i] = subc[2][i]; 852 subc[1][i] = subc[3][i]; This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC1.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)