Bug 101550 - Infinite recursion at cairo-mesh-pattern-rasterizer.c:848
Summary: Infinite recursion at cairo-mesh-pattern-rasterizer.c:848
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2017-06-21 22:13 UTC by foca@salesforce.com
Modified: 2018-08-25 13:36 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Proof of concept (1.45 KB, application/pdf)
2017-06-21 22:13 UTC, foca@salesforce.com
Fix for the stack overflow (727 bytes, patch)
2017-06-22 09:00 UTC, Andrea Canciani
Details | Splinter Review

Description foca@salesforce.com 2017-06-21 22:13:39 UTC
Created attachment 132125 [details]
Proof of concept


There is an infinite recursion in pdftocairo parsing the attached PoC1.pdf. As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.

The recursion happens at, cairo-mesh-pattern-rasterizer.c:848:
844		    subc[2][i] = 0.5 * (c[0][i] + c[2][i]);
845		    subc[3][i] = 0.5 * (c[1][i] + c[3][i]);
846		}
848		draw_bezier_patch (data, width, height, stride, first, subc);
850		for (i = 0; i < 4; ++i) {
851		    subc[0][i] = subc[2][i];
852		    subc[1][i] = subc[3][i];

This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use:
pdftocairo -svg PoC1.pdf

This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 1 Albert Astals Cid 2017-06-21 22:39:33 UTC
Is this an actual cairo bug?
Comment 2 foca@salesforce.com 2017-06-21 22:43:44 UTC
Sorry, it's a bug in poppler while using the cairo backend.
Comment 3 Albert Astals Cid 2017-06-21 22:56:11 UTC
Come on, if i assign the bug to cairo because the recursion happens in cairo code, can you please not say "no no, you've no idea, the bug is in poppler" and change it back?

But ok, i'll ignore this bug and that's it.
Comment 4 foca@salesforce.com 2017-06-21 22:58:41 UTC
Sorry Albert, I didn't realize you changed the product, and I though you were suggesting this was a poppler bug instead of a cairo one.

My apologies.
Comment 5 Andrea Canciani 2017-06-22 09:00:52 UTC
Created attachment 132129 [details] [review]
Fix for the stack overflow

This patch would fix the stack overflow, but the pattern in the PoC pdf file would still take an enormous amount of time to rasterize, given the current approach used in cairo.

Backward rasterization could probably help handling such degenerate patterns more efficiently, but the peculiar ordering of the mesh layers makes their use nontrivial.

What is the best way forward? Is this patch sufficient?
Comment 6 Bryce Harrington 2017-07-10 17:18:03 UTC
Is there a practical user case for the pattern?  If not, the render time is probably irrelevant, would just need to avoid the stack overflow, right?
Comment 7 Bryce Harrington 2017-09-20 21:57:02 UTC
Would anyone have an objection if I went ahead and landed this patch?
Comment 8 GitLab Migration User 2018-08-25 13:36:51 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/97.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.