Overview: --------- Out of bound access Description: ----------- http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer.c, At line: 1712 "print_array" is called with argument "p->type" and "pattern_names". where 'pattern_names' length is 8 as below static const char *pattern_names[] = { "native", "record", "other surface", "solid", "linear", "radial", "mesh", "raster" }; At line:1587, 8th element will be accessed i.e. array[7] ( or p->type[7] ) as in below. for (i = j = 0; i < count; i++) { //count is 8 ==> if (array[i] != 0) order[j++] = i; } 'p' is struct in http://cgit.freedesktop.org/cairo/tree/src/cairo-surface-observer-private.h as below struct pattern { unsigned int type[7]; /* native/record/other surface/gradients */ }; 'type' is of length 7 and Hence accessing 8th element of 'p->type' as above will result in out of bound access. Expected: -------- 'type' array should be of length 8. type[7] -> type[8]
Thanks, applied. commit 498fc2fbe31682754f1aa3864b764229d0b6838c Author: Ashim <ashim.shah@samsung.com> Date: Thu Jul 9 10:43:30 2015 +0530 Fix out of bound access in struct pattern->type The pattern structure is hardcoded to hold 7 elements, yet the pattern_names array in cairo-surface-observer.c is initialized with 8 strings. This causes a crash in print_array at line 1587 when it tries to access the 8th member. Hence changed the 'type' array from type[7] to type[8] to avoid out of bound access. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=91266 Signed-off-by: Ashim <ashim.shah@samsung.com> Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.