Bug 63045 - Crash in cairo_fill_preserve after cairo_arc call
Summary: Crash in cairo_fill_preserve after cairo_arc call
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: 1.4.0
Hardware: x86-64 (AMD64) All
: medium normal
Assignee: Chris Wilson
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2013-04-02 19:35 UTC by Milan Sreckovic
Modified: 2018-08-25 13:53 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Compile and crash on the last call of "TryCircle" (966 bytes, text/plain)
2013-04-02 19:35 UTC, Milan Sreckovic

Description Milan Sreckovic 2013-04-02 19:35:04 UTC
Created attachment 77339 [details]
Compile and crash on the last call of "TryCircle"

Compile and run the attached.  This will crash:

cairo_arc(cairo, 0.0, 1.0, 5761126469220696064.0, 0.0, 6.2831853071795862);

while this does not:

cairo_arc(cairo, 0.0, 0.0, 5761126469220696064.0, 0.0, 6.2831853071795862);
Comment 1 Uli Schlachter 2013-04-02 19:40:32 UTC
With both cairo git fdec6b37596d8b064ff082326d7189daa8208052 and cairo 1.12.2, the following happens. Since this doesn't crash on git, I don't think that there is an issue...?

$ ./a.out 
Starting the test
Start centerY 0.000000, radius 14.000000
Finish centerY 0.000000 radius 14.000000
Start centerY 1.000000, radius 14.000000
Finish centerY 1.000000 radius 14.000000
Start centerY 0.000000, radius 8761126469220696064.000000
Finish centerY 0.000000 radius 8761126469220696064.000000
Start centerY 1.000000, radius 8761126469220696064.000000
Finish centerY 1.000000 radius 8761126469220696064.000000
Start centerY 0.000000, radius 5761126469220696064.000000
Finish centerY 0.000000 radius 5761126469220696064.000000
Start centerY 1.000000, radius 5761126469220696064.000000
Finish centerY 1.000000 radius 5761126469220696064.000000
Finished the test
Comment 2 Milan Sreckovic 2013-04-03 13:02:10 UTC
I'm on ubuntu, with "install libcairo2", which seems to install 1.4.0.  I changed the version in the bug. I will try with the latest
Comment 3 Milan Sreckovic 2013-04-03 13:27:37 UTC
(In reply to comment #1)
> With both cairo git fdec6b37596d8b064ff082326d7189daa8208052 and cairo
> 1.12.2, the following happens. Since this doesn't crash on git, I don't
> think that there is an issue...?
Are you doing a 32-bit version or a 64-bit version?
Comment 4 Uli Schlachter 2013-04-03 16:07:58 UTC
Cairo 1.4.0 on Ubuntu? According to [0], 1.6.0 is the oldest cairo version still used by Ubuntu 8.04. Cairo 1.6.0 and Ubuntu 8.04 were released in 2008 (5 years ago!). Even the support for that Ubuntu version ended this month. That's really ancient software which means any bugs you see likely are already fixed in anything non-ancient.

I was doing my tests on a debian testing amd64 system.

[0]: http://packages.ubuntu.com/search?suite=default&section=all&arch=any&keywords=libcairo2&searchon=names
Comment 5 Milan Sreckovic 2013-04-03 18:56:32 UTC
Indeed.  I was doing this on a fresh install, just getting cairo with apt-get install libcairo2-dev, and you are correct, that appears to be 1.10.2 (still fairly old, I guess).  I tried with the latest download, still get the crash.  I don't mind if this is fixed, just trying to figure out why I'm still seeing the problem.
Comment 6 Bryce Harrington 2018-05-08 02:11:38 UTC
I found this patch associated with the CVE:


However the code has changed considerably since then.  The checks might still be relevant in cairo-image-compositor.c such as in fill_boxes(), possibly other places, but I'm not certain.
Comment 7 GitLab Migration User 2018-08-25 13:53:14 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/cairo/cairo/issues/248.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.