Created attachment 132101 [details] Proof of concept There is a bug attempting free on address which was not malloc() in cairo-clip.c:137: 127 void 128 _cairo_clip_destroy (cairo_clip_t *clip) 129 { 130 if (clip == NULL || _cairo_clip_is_all_clipped (clip)) 131 return; 132 133 if (clip->path != NULL) 134 _cairo_clip_path_destroy (clip->path); 135 136 if (clip->boxes != &clip->embedded_box) 137 free (clip->boxes); In some cases clip->boxes could be allocated but in the PoC is not allocated is assigned to clip->embedded_box a member of the same class at cairo-clip-boxes.c:165 149 static cairo_clip_t * 150 _cairo_clip_intersect_rectangle_box (cairo_clip_t *clip, 151 const cairo_rectangle_int_t *r, 152 const cairo_box_t *box) 153 { 154 cairo_box_t extents_box; 155 cairo_bool_t changed = FALSE; 156 int i, j; 157 158 if (clip == NULL) { 159 clip = _cairo_clip_create (); 160 if (clip == NULL) 161 return _cairo_clip_set_all_clipped (clip); 162 } 163 164 if (clip->num_boxes == 0) { 165 clip->boxes = &clip->embedded_box; There is already a check in _cairo_clip_destroy to avoid similar cases: 136 if (clip->boxes != &clip->embedded_box) But with the PoC the clip where the embedded_box is comming is different the the clip being destroyed. This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/51.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.