Bug 105084 - Uninitialized memory leads to invalid free
Summary: Uninitialized memory leads to invalid free
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2018-02-13 21:05 UTC by Federico Mena-Quintero
Modified: 2018-03-09 02:12 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

cairo-105084.patch (903 bytes, patch)
2018-02-13 21:09 UTC, Federico Mena-Quintero
Details | Splinter Review

Description Federico Mena-Quintero 2018-02-13 21:05:59 UTC
Running this:

  CAIRO_TEST_TARGET=image libtool --mode=execute valgrind ./cairo-test-suite -f api-special-cases

Gets this:

TESTING api-special-cases
api-special-cases.image.argb32 [0x1]:   ==20255== Conditional jump or move depends on uninitialised value(s)
==20255==    at 0x4C2E271: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20255==    by 0x4EEEDAB: _cairo_ft_options_fini (cairo-ft-font.c:206)
==20255==    by 0x4EEEDAB: _cairo_ft_font_face_destroy (cairo-ft-font.c:3163)
==20255==    by 0x4E63845: cairo_font_face_destroy (cairo-font-face.c:186)
==20255==    by 0x4EB1CC2: _cairo_toy_font_face_destroy (cairo-toy-font-face.c:371)
==20255==    by 0x4E63845: cairo_font_face_destroy (cairo-font-face.c:186)
==20255==    by 0x4E652C5: _cairo_gstate_fini (cairo-gstate.c:197)
==20255==    by 0x4E61AB5: _cairo_default_context_fini (cairo-default-context.c:75)
==20255==    by 0x4E61B28: _cairo_default_context_destroy (cairo-default-context.c:93)
==20255==    by 0x412BC8: draw (api-special-cases.c:1919)
==20255==    by 0x40E70A: cairo_test_for_target (cairo-test.c:933)
==20255==    by 0x40E70A: _cairo_test_context_run_for_target (cairo-test.c:1536)  
==20255==    by 0x40C038: _cairo_test_runner_draw (cairo-test-runner.c:255)
==20255==    by 0x40C038: main (cairo-test-runner.c:937)
==20255==  Uninitialised value was created by a heap allocation
==20255==    at 0x4C2D08F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20255==    by 0x4EEEB42: _cairo_ft_font_face_create_for_pattern (cairo-ft-font.c:3250)
==20255==    by 0x4EEEEEF: _cairo_ft_font_face_create_for_toy (cairo-ft-font.c:3098)
==20255==    by 0x4EB1F5F: _cairo_toy_font_face_create_impl_face (cairo-toy-font-face.c:168)
==20255==    by 0x4EB1F5F: _cairo_toy_font_face_init (cairo-toy-font-face.c:197)  
==20255==    by 0x4EB1F5F: cairo_toy_font_face_create (cairo-toy-font-face.c:321) 
==20255==    by 0x4EB9B0C: cairo_select_font_face (cairo.c:3042)
==20255==    by 0x411B37: test_cairo_select_font_face (api-special-cases.c:654)   
==20255==    by 0x412950: test_context (api-special-cases.c:1833)
==20255==    by 0x412BB5: draw (api-special-cases.c:1917)
==20255==    by 0x40E70A: cairo_test_for_target (cairo-test.c:933)
==20255==    by 0x40E70A: _cairo_test_context_run_for_target (cairo-test.c:1536)  
==20255==    by 0x40C038: _cairo_test_runner_draw (cairo-test-runner.c:255)
==20255==    by 0x40C038: main (cairo-test-runner.c:937)

This is uninitialized memory from _cairo_ft_font_face_create_for_pattern()'s call to malloc().  It is not initializing font_face->ft_options.
Comment 1 Federico Mena-Quintero 2018-02-13 21:09:58 UTC
Created attachment 137338 [details] [review]

I believe there's just a call missing to _get_pattern_ft_options() to initialize font_face->ft_options.  It may be good to factor out the initialization of font_face from _cairo_ft_font_face_create_for_pattern() and _cairo_ft_font_face_create(), since both malloc() and must initialize each field by hand.
Comment 2 Pavel Vinogradov 2018-03-05 22:32:00 UTC
zathura segfaults when loading a document. The patch helps indeed. Thank you.
Comment 3 Federico Mena-Quintero 2018-03-09 02:12:40 UTC
This is now commit 45e3b8f27179cf1130bfa61a09ef366fd313a0e1.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.