Bug 49089

Summary: evince crashes with "*** buffer overflow detected ***: evince terminated" while trying to print
Product: cairo Reporter: Dominique Leuenberger <dominique-freedesktop.org>
Component: pdf backendAssignee: Adrian Johnson <ajohnson>
Status: RESOLVED FIXED QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: normal    
Priority: medium    
Version: 1.12.0   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Fix the issue.

Description Dominique Leuenberger 2012-04-23 13:45:03 UTC 
Created attachment 60497 [details]
Fix the issue.

Originally reported as downstream bug:
https://bugzilla.novell.com/show_bug.cgi?id=758422

_cairo_pdf_surface_add_source_surface allocates unique_id with size
unique_id_length but then copies surface_key.unique_id_length into it.

This causes e.g. evince to crash predictably while trying to print with:
  *** buffer overflow detected ***: evince terminat
Comment 1 Chris Wilson 2012-04-23 14:17:18 UTC 
commit f736cd144305f7c9147912f6ec081962b3191e3d
Author: Jeff Mahoney <jeffm@suse.com>
Date:   Mon Apr 23 22:04:48 2012 +0100

    pdf: Fix wrong allocation in _cairo_pdf_surface_add_source_surface
    
    _cairo_pdf_surface_add_source_surface allocates unique_id with
    size unique_id_length but then copies surface_key.unique_id_length into it.
    
    This causes e.g. evince to crash predictably while trying to print with:
    *** buffer overflow detected ***: evince terminated
    
    We should be using surface_key.unique_id_length instead.
    
    Reported-by: Dominique Leuenberger <dominique-freedesktop.org@leuenberger.ne
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=49089
    Signed-off-by: Jeff Mahoney <jeffm@suse.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.