There is an off by one vulnerability in cairo, reading the jpeg headers of an image surface.
The vulnerability is at cairo-image-info.c:76:
70 static const unsigned char *
71 _jpeg_skip_segment (const unsigned char *p)
73 int len;
76 len = (p << 8) | p;
78 return p + len;
The off by one happens while reading the variable p.
This function is called from line cairo-image-info.c:143:
140 if (p + 2 > data + length)
141 return CAIRO_INT_STATUS_UNSUPPORTED;
143 p = _jpeg_skip_segment (p);
The check here should be >= instead of >:
140 if (p + 2 >= data + length)
Since in _jpeg_skip_segment 3 bytes are consumed (1 skipped and 2 read).
If an attacker could control p then he could control how many bytes are skipped reading the jpeg segment. It doesn't look this vulnerability has security implications since the function _cairo_image_info_get_jpeg_info is validating that the pointer is inside the bounds.
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)