There is an off by one vulnerability in cairo, reading the jpeg headers of an image surface. The vulnerability is at cairo-image-info.c:76: 70 static const unsigned char * 71 _jpeg_skip_segment (const unsigned char *p) 72 { 73 int len; 74 75 p++; 76 len = (p[0] << 8) | p[1]; 77 78 return p + len; 79 } The off by one happens while reading the variable p[1]. This function is called from line cairo-image-info.c:143: 139 140 if (p + 2 > data + length) 141 return CAIRO_INT_STATUS_UNSUPPORTED; 142 143 p = _jpeg_skip_segment (p); 144 break; 145 } The check here should be >= instead of >: 140 if (p + 2 >= data + length) Since in _jpeg_skip_segment 3 bytes are consumed (1 skipped and 2 read). If an attacker could control p[1] then he could control how many bytes are skipped reading the jpeg segment. It doesn't look this vulnerability has security implications since the function _cairo_image_info_get_jpeg_info is validating that the pointer is inside the bounds.
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Fix pushed https://cgit.freedesktop.org/cairo/commit/?id=57b40507dda3f58dfc8635548d606b86dc7bcf51
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.