Attempting free on address which was not malloc() in cairo-clip.c:137
foca@salesforce.com
Submitted byAssigned to Chris Wilson @ickle
Link to original bug (#101530)
Description
Created attachment 132101 Proof of concept
There is a bug attempting free on address which was not malloc() in cairo-clip.c:137: 127 void 128 _cairo_clip_destroy (cairo_clip_t *clip) 129 { 130 if (clip == NULL || _cairo_clip_is_all_clipped (clip)) 131 return; 132 133 if (clip->path != NULL) 134 _cairo_clip_path_destroy (clip->path); 135 136 if (clip->boxes != &clip->embedded_box) 137 free (clip->boxes);
In some cases clip->boxes could be allocated but in the PoC is not allocated is assigned to clip->embedded_box a member of the same class at cairo-clip-boxes.c:165 149 static cairo_clip_t * 150 _cairo_clip_intersect_rectangle_box (cairo_clip_t *clip, 151 const cairo_rectangle_int_t *r, 152 const cairo_box_t *box) 153 { 154 cairo_box_t extents_box; 155 cairo_bool_t changed = FALSE; 156 int i, j; 157 158 if (clip == NULL) { 159 clip = _cairo_clip_create (); 160 if (clip == NULL) 161 return _cairo_clip_set_all_clipped (clip); 162 } 163 164 if (clip->num_boxes == 0) { 165 clip->boxes = &clip->embedded_box;
There is already a check in _cairo_clip_destroy to avoid similar cases: 136 if (clip->boxes != &clip->embedded_box)
But with the PoC the clip where the embedded_box is comming is different the the clip being destroyed.
This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132101, "Proof of concept":
PoC.pdf