NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558
foca@salesforce.com
Submitted byAssigned to Chris Wilson @ickle
Link to original bug (#101527)
Description
Created attachment 132097 Proof of concept
There is a NULL pointer dereference in cairo-bentley-ottmann-rectangular.c:558 in the function sweep_line_delete_edge:
543 sweep_line_delete_edge (sweep_line_t *sweep, edge_t *edge) 544 { 545 if (edge->right != NULL) { 546 edge_t *next = edge->next; 547 if (next->x == edge->x) { 548 next->top = edge->top; 549 next->right = edge->right; 550 } else 551 edge_end_box (sweep, edge, sweep->current_y); 552 } 553 554 if (sweep->cursor == edge) 555 sweep->cursor = edge->prev; 556 557 edge->prev->next = edge->next; 558 edge->next->prev = edge->prev;
edge->next is 0 at line 558 so 0->prev is a NULL pointer dereference of 0x8 because ->prev is at +8 in edge struct, the segfault occurs at address 0x8.
I don't know exactly why the ->next field is NULL, I guess a solution could be to check for this condition at the beginning of the function.
This bug was found when using a poppler util, pdftocairo. A PoC is attached. To reproduce the bug use: pdftocairo -svg PoC.pdf
This vulnerability has been found by Offensive Research at Salesforce.com: Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Attachment 132097, "Proof of concept":
PoC.pdf