Bug 5026

Summary: Stack smash in cairo_stroker_join
Product: cairo Reporter: Ken <kkauffman>
Component: generalAssignee: Carl Worth <cworth>
Status: RESOLVED NOTOURBUG QA Contact: cairo-bugs mailing list <cairo-bugs>
Severity: critical    
Priority: high CC: bugs.freedesktop.org
Version: 1.0.2   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: patch from gentoo bugreport

Description Ken 2005-11-12 07:12:55 UTC 
"stack smashing attack in function _cairo_stroker_join()" happens with multiple
applications rendering them useless.

Using:
CFLAGS="-O3 -march=k8 -pipe -fomit-frame-pointer -fstack-protector
-fprefetch-loop-arrays -mno-tls-direct-seg-refs"
CHOST="x86_64-pc-linux-gnu"

Most likely related to -fstack-protector switch.
I am in the belief that Cairo should work with this option set for additionaly
security.
Comment 1 Ken 2005-11-19 10:52:59 UTC 
I recompiled cairo without the -fstack-protector and this error does go away
during application usage.  This does not change the behavior of
_cairo_stroker_join(), it simply is not caught stack protection.

I'm not comfortable with the fact that the cairo code can exploit the stack. I
believe this to have security implications.
Comment 2 Frederik 'Freso' S. Olesen 2006-02-17 06:31:49 UTC 
This is also reported and has a patch in Gentoo's Bugzilla:
https://bugs.gentoo.org/show_bug.cgi?id=109480
Comment 3 foser 2006-03-31 02:40:08 UTC 
Created attachment 5132 [details] [review]
patch from gentoo bugreport
Comment 4 Carl Worth 2006-05-19 01:41:05 UTC 
If that's the fix, then this definitely isn't a cairo bug.

If you can point me to a bug that has been filed with the appropriate upstream,
(whoever it is), then I'll add this workaround to cairo. Otherwise it seems
useful to maintain this failure as a demonstration and testcase of the real bug.

-Carl

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.