Bug 101530 - Attempting free on address which was not malloc() in cairo-clip.c:137
Summary: Attempting free on address which was not malloc() in cairo-clip.c:137
Status: RESOLVED MOVED
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 21:04 UTC by foca@salesforce.com
Modified: 2018-08-25 13:31 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Proof of concept (5.35 KB, application/pdf)
2017-06-20 21:04 UTC, foca@salesforce.com
Details

Note You need to log in before you can comment on or make changes to this bug.
Description foca@salesforce.com 2017-06-20 21:04:07 UTC
Created attachment 132101 [details]
Proof of concept

There is a bug attempting free on address which was not malloc() in cairo-clip.c:137:
127	void
128	_cairo_clip_destroy (cairo_clip_t *clip)
129	{
130	    if (clip == NULL || _cairo_clip_is_all_clipped (clip))
131		return;
132	
133	    if (clip->path != NULL)
134		_cairo_clip_path_destroy (clip->path);
135	
136	    if (clip->boxes != &clip->embedded_box)
137		free (clip->boxes);

In some cases clip->boxes could be allocated but in the PoC is not allocated is assigned to clip->embedded_box a member of the same class at cairo-clip-boxes.c:165
149	static cairo_clip_t *
150	_cairo_clip_intersect_rectangle_box (cairo_clip_t *clip,
151					     const cairo_rectangle_int_t *r,
152					     const cairo_box_t *box)
153	{
154	    cairo_box_t extents_box;
155	    cairo_bool_t changed = FALSE;
156	    int i, j;
157	
158	    if (clip == NULL) {
159		clip = _cairo_clip_create ();
160		if (clip == NULL)
161		    return _cairo_clip_set_all_clipped (clip);
162	    }
163	
164	    if (clip->num_boxes == 0) {
165		clip->boxes = &clip->embedded_box;

There is already a check in _cairo_clip_destroy to avoid similar cases:
136	    if (clip->boxes != &clip->embedded_box)

But with the PoC the clip where the embedded_box is comming is different the the clip being destroyed.

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 GitLab Migration User 2018-08-25 13:31:54 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/51.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.