Bug 101531 - NULL pointer dereference in cairo-polygon-intersect.c:1170
Summary: NULL pointer dereference in cairo-polygon-intersect.c:1170
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2017-06-20 21:26 UTC by foca@salesforce.com
Modified: 2018-08-25 13:56 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (6.05 KB, application/pdf)
2017-06-20 21:26 UTC, foca@salesforce.com
Adds the proposed null ptr check (780 bytes, patch)
2017-09-20 23:18 UTC, Bryce Harrington
Details | Splinter Review

Description foca@salesforce.com 2017-06-20 21:26:11 UTC
Created attachment 132102 [details]
Proof of concept

There is a NULL pointer dereference in cairo-polygon-intersect.c:1170 in function active_edges:
1142	static inline void
1143	active_edges (cairo_bo_edge_t		*left,
1144		      int32_t			 top,
1145		      cairo_polygon_t	        *polygon)
1146	{
1150		/* Yes, this is naive. Consider this a placeholder. */
1152		while (left != NULL) {
1153		    assert (is_zero (winding));
1155		    do {
1156			winding[left->a_or_b] += left->edge.dir;
1157			if (! is_zero (winding))
1158			    break;
1160			if unlikely ((left->deferred.other))
1161			    edges_end (left, top, polygon);
1163			left = left->next;
1164			if (! left)
1165			    return;
1166		    } while (1);
1168		    right = left->next;
1169		    do {
1170			if unlikely ((right->deferred.other))

left ->next is NULL in line 1168 so right is also set to NULL. When line 1170 is reached, the program tries to get deferred. Since right is 0, the program tries to dereference 0x30 causing a segmentation fault.

This could be avoided with an extra check in 1169:
1169                if (right == NULL) return;

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Bryce Harrington 2017-09-20 23:18:19 UTC
Created attachment 134390 [details] [review]
Adds the proposed null ptr check

Attached is a patch to implement the proposed null ptr check.

However, what's needed is an analysis of the PDF to see how exactly it's constructing this invalid data, since I seriously doubt having right==NULL is a valid software condition.  So, ideally, this should be an assert() not a null ptr check.
Comment 2 GitLab Migration User 2018-08-25 13:56:04 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/274.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.