a null pointer deference in function _cairo_polygon_intersect in cairo 1.17.2
cairo 1.17.2
version
poppler 0.74 with cairo 1.17.2
description
None
download link
None
_cairo_polygon_intersect@cairo-polygon-intersect.c:1171-6___out-of-bounds-read
description
An issue was discovered in poppler-0.74 0.74, There is a/an out-of-bounds-read in function _cairo_polygon_intersect at cairo-polygon-intersect.c:1171-6
commandline
pdftocairo @@ -png 1.png
source
src:/src/cairo/src/cairo-polygon-intersect.c:1171:6
1167 } while (1);
1168
1169 right = left->next;
1170 do {
>1171 if unlikely ((right->deferred.other))
1172 edges_end (right, top, polygon);
1173
1174 winding[right->a_or_b] += right->edge.dir;
1175 if (is_zero (winding)) {
1176 if (right->next == NULL ||
gdb debug
gdb-peda$ p right
$2 = (cairo_bo_edge_t *) 0x0
gdb-peda$ list
1166 return;
1167 } while (1);
1168
1169 right = left->next;
1170 do {
1171 if unlikely ((right->deferred.other))
1172 edges_end (right, top, polygon);
1173
1174 winding[right->a_or_b] += right->edge.dir;
1175 if (is_zero (winding)) {
bug report
AddressSanitizer:DEADLYSIGNAL
=================================================================
==10290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f0995690904 bp 0x7ffc02a0cab0 sp 0x7ffc02a09940 T0)
==10290==The signal is caused by a READ memory access.
==10290==Hint: address points to the zero page.
#0 0x7f0995690903 in _cairo_polygon_intersect /src/cairo/src/cairo-polygon-intersect.c:1171:6
#1 0x7f09956efbdf in clip_and_composite_polygon /src/cairo/src/cairo-spans-compositor.c:946:12
#2 0x7f09956eb73d in _cairo_spans_compositor_stroke /src/cairo/src/cairo-spans-compositor.c:1083:15
#3 0x7f099558b48e in _cairo_compositor_stroke /src/cairo/src/cairo-compositor.c:157:11
#4 0x7f09955f11b3 in _cairo_image_surface_stroke /src/cairo/src/cairo-image-surface.c:982:12
#5 0x7f0995734725 in _cairo_surface_stroke /src/cairo/src/cairo-surface.c:2377:14
#6 0x7f09955b3a63 in _cairo_gstate_stroke /src/cairo/src/cairo-gstate.c:1188:12
#7 0x7f099559a66f in _cairo_default_context_stroke /src/cairo/src/cairo-default-context.c:1010:14
#8 0x7f0995785349 in INT_cairo_stroke /src/cairo/src/cairo.c:2366:14
#9 0x5419e2 in CairoOutputDev::stroke(GfxState*) /src/poppler-0.74/poppler/CairoOutputDev.cc:823:5
#10 0x7f099471160a in Gfx::opStroke(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:1776:7
#11 0x7f099474d662 in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
#12 0x7f09947496f7 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
#13 0x7f09947485a3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
#14 0x7f09947532e5 in Gfx::drawForm(Object*, Dict*, double const*, double const*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) /src/poppler-0.74/poppler/Gfx.cc:4841:3
#15 0x7f09947843a0 in Gfx::doForm(Object*) /src/poppler-0.74/poppler/Gfx.cc:4764:3
#16 0x7f099470b0f0 in Gfx::opXObject(Object*, int) /src/poppler-0.74/poppler/Gfx.cc:4181:2
#17 0x7f099474d662 in Gfx::execOp(Object*, Object*, int) /src/poppler-0.74/poppler/Gfx.cc:876:3
#18 0x7f09947496f7 in Gfx::go(bool) /src/poppler-0.74/poppler/Gfx.cc:752:7
#19 0x7f09947485a3 in Gfx::display(Object*, bool) /src/poppler-0.74/poppler/Gfx.cc:714:3
#20 0x7f099498312c in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/Page.cc:548:10
#21 0x7f09949a0891 in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) /src/poppler-0.74/poppler/PDFDoc.cc:665:20
#22 0x52d976 in main /src/poppler-0.74/utils/pdftocairo.cc:730:8
#23 0x7f0992daf82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#24 0x4258b8 in _start (/src/aflbuild/installed/bin/pdftocairo+0x4258b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/cairo/src/cairo-polygon-intersect.c:1171:6 in _cairo_polygon_intersect
==10290==ABORTING
others
from fuzz project pwd-poppler-pdftocairo-00
crash name pwd-poppler-pdftocairo-00-00000000-20190319.pdf
Auto-generated by pyspider at 2019-03-19 10:31:22