Bug 101527 - NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558
Summary: NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558
Status: RESOLVED MOVED
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 18:11 UTC by foca@salesforce.com
Modified: 2018-08-25 13:34 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (8.82 KB, application/pdf)
2017-06-20 18:11 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-20 18:11:16 UTC
Created attachment 132097 [details]
Proof of concept

There is a NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558 in the function sweep_line_delete_edge:

543	sweep_line_delete_edge (sweep_line_t *sweep, edge_t *edge)
544	{
545	    if (edge->right != NULL) {
546		edge_t *next = edge->next;
547		if (next->x == edge->x) {
548		    next->top = edge->top;
549		    next->right = edge->right;
550		} else
551		    edge_end_box (sweep, edge, sweep->current_y);
552	    }
553	
554	    if (sweep->cursor == edge)
555		sweep->cursor = edge->prev;
556	
557	    edge->prev->next = edge->next;
558	    edge->next->prev = edge->prev;

edge->next is 0 at line 558 so 0->prev is a NULL pointer dereference of 0x8 because ->prev is at +8 in edge struct, the segfault occurs at address 0x8.

I don't know exactly why the ->next field is NULL, I guess a solution could be to check for this condition at the beginning of the function.

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 GitLab Migration User 2018-08-25 13:34:24 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/76.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.