Hi, There is at least an out-of-bound write vulnerability in Cairo project. src/cairo-image-compositor.c 330 static cairo_int_status_t 331 fill_boxes (void *_dst, 332 cairo_operator_t op, 333 const cairo_color_t *color, 334 cairo_boxes_t *boxes) 335 { 336 cairo_image_surface_t *dst = _dst; 337 struct _cairo_boxes_chunk *chunk; 338 uint32_t pixel; 339 int i; 340 341 TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes)); 342 343 if (fill_reduces_to_source (op, color, dst, &pixel)) { 344 for (chunk = &boxes->chunks; chunk; chunk = chunk->next) { 345 for (i = 0; i < chunk->count; i++) { 346 int x = _cairo_fixed_integer_part (chunk->base[i].p1.x); 347 int y = _cairo_fixed_integer_part (chunk->base[i].p1.y); 348 int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) - x; 349 int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) - y; 350 pixman_fill ((uint32_t *) dst->data, 351 dst->stride / sizeof (uint32_t), 352 PIXMAN_FORMAT_BPP (dst->pixman_format), 353 x, y, w, h, pixel); 354 } 355 } 356 } As we can see from above code, x and y may be negative. (see https://bugzilla.mozilla.org/attachment.cgi?id=715614&action=diff) Below is the potential patch. static cairo_int_status_t fill_boxes (void *_dst, cairo_operator_t op, const cairo_color_t *color, cairo_boxes_t *boxes) { cairo_image_surface_t *dst = _dst; struct _cairo_boxes_chunk *chunk; uint32_t pixel; int i; TRACE ((stderr, "%s x %d\n", __FUNCTION__, boxes->num_boxes)); if (fill_reduces_to_source (op, color, dst, &pixel)) { for (chunk = &boxes->chunks; chunk; chunk = chunk->next) { for (i = 0; i < chunk->count; i++) { int x = _cairo_fixed_integer_part (chunk->base[i].p1.x); int y = _cairo_fixed_integer_part (chunk->base[i].p1.y); + x = (x < 0 ? 0 : x); + y = (y < 0 ? 0 : y); int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) - x; int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) - y; pixman_fill ((uint32_t *) dst->data, dst->stride / sizeof (uint32_t), PIXMAN_FORMAT_BPP (dst->pixman_format), x, y, w, h, pixel); } } } At the same time, code that calls _cairo_fixed_integer_part function should add same check. There are many functions, such as draw_image_boxes, composite_boxes and so on.
Is this actually an out-of-bounds write or do you just suppose that it could be one? Shouldn't the callers have clamped the boxes to the surface size so that no negative coordinates can show up?
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/96.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.