Fix infinite recursion at cairo-mesh-pattern-rasterizer.c:848
There is an infinite recursion in cairo-mesh-pattern-rasterizer.c which triggers e.g. when viewing SVG files using WPE/Webkit . As a result of the infinite (or very deep) recursion all the stack space is consumed and the application crashes.
The recursion happens at, cairo-mesh-pattern-rasterizer.c:848:
844 subc[2][i] = 0.5 * (c[0][i] + c[2][i]);
845 subc[3][i] = 0.5 * (c[1][i] + c[3][i]);
846 }
847
848 draw_bezier_patch (data, width, height, stride, first, subc);
849
850 for (i = 0; i < 4; ++i) {
851 subc[0][i] = subc[2][i];
852 subc[1][i] = subc[3][i];
This vulnerability has been first found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
This fix limits the depth of recursing to 10.
Original report: https://bugs.freedesktop.org/show_bug.cgi?id=101550