Bug 91266 - Out of bound access in struct pattern -> type
Summary: Out of bound access in struct pattern -> type
Alias: None
Product: cairo
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Ashim
QA Contact: cairo-bugs mailing list
Depends on:
Reported: 2015-07-08 11:15 UTC by Ashim
Modified: 2015-07-09 22:02 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Ashim 2015-07-08 11:15:09 UTC
Out of bound access


http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c, At line: 1712

"print_array" is called with argument "p->type" and "pattern_names".

where 'pattern_names' length is 8 as below
static const char *pattern_names[] = {
    "other surface",

At line:1587, 8th element will be accessed i.e. array[7] ( or p->type[7] ) as in below.

    for (i = j = 0; i < count; i++) { //count is 8
==>	if (array[i] != 0) 
	    order[j++] = i;

'p' is struct in http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h as below
struct pattern {
    unsigned int type[7]; /* native/record/other surface/gradients */

'type' is of length 7 and Hence accessing 8th element of 'p->type' as above will result in out of bound access.

'type' array should be of length 8.
type[7] -> type[8]
Comment 1 Bryce Harrington 2015-07-09 22:02:45 UTC
Thanks, applied.

commit 498fc2fbe31682754f1aa3864b764229d0b6838c
Author: Ashim <ashim.shah@samsung.com>
Date:   Thu Jul 9 10:43:30 2015 +0530

    Fix out of bound access in struct pattern->type

    The pattern structure is hardcoded to hold 7 elements, yet the
    pattern_names array in cairo-surface-observer.c is initialized with 8
    strings.  This causes a crash in print_array at line 1587 when it tries
    to access the 8th member.

    Hence changed the 'type' array from type[7] to type[8] to avoid out of
    bound access.

    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=91266
    Signed-off-by: Ashim <ashim.shah@samsung.com>
    Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.