Null pointer dereferences in /src/cairo-surface.c:241,260
Hello,
I have identified two NULL-pointer dereferences in /src/cairo-surface.c:241 and line 260. The problem can be reproduced as follows:
- Compile libxps.
- Go to build/tools.
- Run ./xpstosvg tool with the given attachment.
Sample run:
radu@compute4:~/apps/libgxps/libgxps-0.3.1/build/tools$ ./xpstosvg min/M2.5a.xps out_conv/pdf.svg \n
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
AddressSanitizer:DEADLYSIGNAL
=================================================================
==17010==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f83cd648b90 bp 0x7fff29398fd0 sp 0x7fff29398e78 T0)
==17010==The signal is caused by a READ memory access.
==17010==Hint: address points to the zero page.
#0 0x7f83cd648b8f /home/radu/apps/libcairo/cairo-1.16.0/src/cairo-surface.c:241
#1 0x51d1a7 in gxps_converter_print_converter_end_document /home/radu/apps/libgxps/libgxps-0.3.1/build/../tools/gxps-print-converter.c:216:18
#2 0x519726 in gxps_converter_end_document /home/radu/apps/libgxps/libgxps-0.3.1/build/../tools/gxps-converter.c:188:17
#3 0x519726 in gxps_converter_run /home/radu/apps/libgxps/libgxps-0.3.1/build/../tools/gxps-converter.c:332
#4 0x5173a5 in main /home/radu/apps/libgxps/libgxps-0.3.1/build/../tools/gxps-converter-main.c:40:9
#5 0x7f83cc6c682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#6 0x41b628 in _start (/home/radu/apps/libgxps/libgxps-0.3.1/build/tools/xpstosvg+0x41b628)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/radu/apps/libcairo/cairo-1.16.0/src/cairo-surface.c:241
==17010==ABORTING
Even if the crash produced for cairo-1.16.0, the problem is still present in the last version as well.
The issue: Missing handlers for null pointers:
[...]
cairo_content_t cairo_surface_get_content (cairo_surface_t *surface)
{
return surface->content;
}
[...]
[...]
cairo_status_t cairo_surface_status (cairo_surface_t *surface)
{
return surface->status;
}
[...]
GDB output:
pwndbg> r
Starting program: /home/radu/apps/libgxps/libgxps-0.3.1/build/tools/xpstosvg min/M2.5a.xps out_conv/pdf.svg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Error getting page 1: Page source /Documents/1/Pages/1.fpage not found in archive
Program received signal SIGSEGV, Segmentation fault.
INT_cairo_surface_status (surface=0x0) at cairo-surface.c:260
260 return surface->status;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x621000001820 —▸ 0x610000000540 —▸ 0x60b000000510 ◂— 0x2
RBX 0xc4200000308 ◂— 0x0
RCX 0x2
RDX 0x60b000000510 ◂— 0x2
RDI 0x0
RSI 0x60b000000460 ◂— 0x2
R8 0x60b000000460 ◂— 0x2
R9 0x1
R10 0x2ad
R11 0x7ffff6fc3b90 (cairo_surface_status) ◂— mov eax, dword ptr [rdi + 0x1c]
R12 0x621000001820 —▸ 0x610000000540 —▸ 0x60b000000510 ◂— 0x2
R13 0x757920 (__afl_area_ptr) —▸ 0x13bdb10 (__afl_area_initial) ◂— 0x0
R14 0x621000001840 ◂— 0x0
R15 0x757920 (__afl_area_ptr) —▸ 0x13bdb10 (__afl_area_initial) ◂— 0x0
RBP 0x7fffffffdcf0 —▸ 0x7fffffffddd0 —▸ 0x51d720 (__libc_csu_init) ◂— push r15
RSP 0x7fffffffdb98 —▸ 0x51d1a8 (gxps_converter_print_converter_end_document+360) ◂— mov ebp, eax
RIP 0x7ffff6fc3b90 (cairo_surface_status) ◂— mov eax, dword ptr [rdi + 0x1c]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
► 0x7ffff6fc3b90 <cairo_surface_status> mov eax, dword ptr [rdi + 0x1c]
0x7ffff6fc3b93 <cairo_surface_status+3> ret
0x7ffff6fc3b94 nop
0x7ffff6fc3b96 nop word ptr cs:[rax + rax]
0x7ffff6fc3ba0 <cairo_surface_get_device> mov eax, dword ptr [rdi + 0x1c]
0x7ffff6fc3ba3 <cairo_surface_get_device+3> test eax, eax
0x7ffff6fc3ba5 <cairo_surface_get_device+5> jne cairo_surface_get_device+16 <0x7ffff6fc3bb0>
↓
0x7ffff6fc3bb0 <cairo_surface_get_device+16> mov edi, eax
0x7ffff6fc3bb2 <cairo_surface_get_device+18> jmp _cairo_device_create_in_error <0x7ffff6f73de0>
↓
0x7ffff6f73de0 <_cairo_device_create_in_error> sub rsp, 8
0x7ffff6f73de4 <_cairo_device_create_in_error+4> cmp edi, 0x2b
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/radu/apps/libcairo/cairo-1.16.0/src/cairo-surface.c
254 *
255 * Since: 1.0
256 **/
257 cairo_status_t
258 cairo_surface_status (cairo_surface_t *surface)
► 259 {
260 return surface->status;
261 }
262 slim_hidden_def (cairo_surface_status);
263
264 static unsigned int
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdb98 —▸ 0x51d1a8 (gxps_converter_print_converter_end_document+360) ◂— mov ebp, eax
01:0008│ 0x7fffffffdba0 ◂— 0x0
02:0010│ 0x7fffffffdba8 —▸ 0x7ffff78af14c (g_slice_free1+140) ◂— test rax, rax
03:0018│ 0x7fffffffdbb0 —▸ 0x7fffffffdc20 —▸ 0x621000001820 —▸ 0x610000000540 —▸ 0x60b000000510 ◂— ...
04:0020│ 0x7fffffffdbb8 ◂— 0x0
05:0028│ 0x7fffffffdbc0 —▸ 0x51d040 (gxps_converter_print_converter_end_document) ◂— push rbp
06:0030│ 0x7fffffffdbc8 —▸ 0x621000001820 —▸ 0x610000000540 —▸ 0x60b000000510 ◂— 0x2
06:0030│ 0x7fffffffdbc8 —▸ 0x621000001820 —▸ 0x610000000540 —▸ 0x60b000000510 ◂— 0x2
07:0038│ 0x7fffffffdbd0 —▸ 0x7fffffffdcf0 —▸ 0x7fffffffddd0 —▸ 0x51d720 (__libc_csu_init) ◂— push r15
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 7ffff6fc3b90 cairo_surface_status
f 1 51d1a8 gxps_converter_print_converter_end_document+360
f 2 519727 gxps_converter_run+3543
f 3 519727 gxps_converter_run+3543
f 4 5173a6 main+358
f 5 7ffff6057830 __libc_start_main+240
Program received signal SIGSEGV (fault address 0x1c)