This was found through a coverity scan of the mozilla source; see <http://scan.coverity.com/>. See |_clip_and_composite_trapezoids| in cairo-surface-fallback.c. If |_cairo_region_create_from_rectangle| returns NULL, it's dereferenced under the call to _cairo_clip_intersect_to_region which chains to pixman_region_intersect.
This is now fixed in cairo 1.1.1 and 1.0.3. -Carl diff-tree 6f0d8eedc504e8af2224c502be25dc82b5df70f4 (from 79075b2cb1ce1397506fc10572df96f6fd00ecc3) Author: Carl Worth <cworth@cworth.org> Date: Mon Mar 13 12:25:25 2006 -0800 _clip_and_composite_trapezoids: Avoid NULL pointer dereference due to OOM. This closes bug #6197: Null pointer dereference on OOM in _clip_and_composite_trapezoids() https://bugs.freedesktop.org/show_bug.cgi?id=6197 diff --git a/src/cairo-surface-fallback.c b/src/cairo-surface-fallback.c index 9dde31f..9b6cfd6 100644 --- a/src/cairo-surface-fallback.c +++ b/src/cairo-surface-fallback.c @@ -549,6 +549,9 @@ _clip_and_composite_trapezoids (cairo_pa return status; clear_region = _cairo_region_create_from_rectangle (&extents); + if (clear_region == NULL) + return CAIRO_STATUS_NO_MEMORY; + status = _cairo_clip_intersect_to_region (clip, clear_region); if (status) return status;
...and marked as resolved.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.