Commit 19982393 authored by Adrian Johnson's avatar Adrian Johnson Committed by Bryce Harrington
Browse files

Use _cairo_malloc instead of malloc



_cairo_malloc(0) always returns NULL, but has not been used
consistently.  This patch replaces many calls to malloc() with
_cairo_malloc().

Fixes:  fdo# 101547
CVE: CVE-2017-9814 Heap buffer overflow at cairo-truetype-subset.c:1299
Reviewed-by: default avatarBryce Harrington <bryce@osg.samsung.com>
parent 7554822d
From ceb9783179c1002acb61bfb2d5a1801f450c2b37 Mon Sep 17 00:00:00 2001
From: Bryce Harrington <bryce@osg.samsung.com>
Date: Wed, 20 Sep 2017 16:05:54 -0700
Subject: [PATCH cairo] polygon-intersection: Check for invalid right edge
Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
---
src/cairo-polygon-intersect.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cairo-polygon-intersect.c b/src/cairo-polygon-intersect.c
index 9c1777f..6fab924 100644
--- a/src/cairo-polygon-intersect.c
+++ b/src/cairo-polygon-intersect.c
@@ -1166,6 +1166,8 @@ active_edges (cairo_bo_edge_t *left,
} while (1);
right = left->next;
+ if (! right)
+ return;
do {
if unlikely ((right->deferred.other))
edges_end (right, top, polygon);
--
2.7.4
......@@ -118,7 +118,7 @@ attach_proxy (cairo_surface_t *source,
{
struct proxy *proxy;
proxy = malloc (sizeof (*proxy));
proxy = _cairo_malloc (sizeof (*proxy));
if (unlikely (proxy == NULL))
return _cairo_surface_create_in_error (CAIRO_STATUS_NO_MEMORY);
......@@ -830,7 +830,7 @@ _cairo_analysis_surface_create (cairo_surface_t *target)
if (unlikely (status))
return _cairo_surface_create_in_error (status);
surface = malloc (sizeof (cairo_analysis_surface_t));
surface = _cairo_malloc (sizeof (cairo_analysis_surface_t));
if (unlikely (surface == NULL))
return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
......@@ -1020,7 +1020,7 @@ _cairo_null_surface_create (cairo_content_t content)
{
cairo_surface_t *surface;
surface = malloc (sizeof (cairo_surface_t));
surface = _cairo_malloc (sizeof (cairo_surface_t));
if (unlikely (surface == NULL)) {
return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
}
......
......@@ -125,7 +125,7 @@ _cairo_base64_stream_create (cairo_output_stream_t *output)
if (output->status)
return _cairo_output_stream_create_in_error (output->status);
stream = malloc (sizeof (cairo_base64_stream_t));
stream = _cairo_malloc (sizeof (cairo_base64_stream_t));
if (unlikely (stream == NULL)) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_output_stream_t *) &_cairo_output_stream_nil;
......
......@@ -114,7 +114,7 @@ _cairo_base85_stream_create (cairo_output_stream_t *output)
if (output->status)
return _cairo_output_stream_create_in_error (output->status);
stream = malloc (sizeof (cairo_base85_stream_t));
stream = _cairo_malloc (sizeof (cairo_base85_stream_t));
if (unlikely (stream == NULL)) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_output_stream_t *) &_cairo_output_stream_nil;
......
......@@ -547,7 +547,7 @@ cff_index_append_copy (cairo_array_t *index,
element.length = length;
element.is_copy = TRUE;
element.data = malloc (element.length);
element.data = _cairo_malloc (element.length);
if (unlikely (element.data == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -610,12 +610,12 @@ cff_dict_create_operator (int operator,
{
cff_dict_operator_t *op;
op = malloc (sizeof (cff_dict_operator_t));
op = _cairo_malloc (sizeof (cff_dict_operator_t));
if (unlikely (op == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
_cairo_dict_init_key (op, operator);
op->operand = malloc (size);
op->operand = _cairo_malloc (size);
if (unlikely (op->operand == NULL)) {
free (op);
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -716,7 +716,7 @@ cff_dict_set_operands (cairo_hash_table_t *dict,
op = _cairo_hash_table_lookup (dict, &key.base);
if (op != NULL) {
free (op->operand);
op->operand = malloc (size);
op->operand = _cairo_malloc (size);
if (unlikely (op->operand == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -870,7 +870,7 @@ cairo_cff_font_read_name (cairo_cff_font_t *font)
len -= 7;
}
}
font->ps_name = malloc (len + 1);
font->ps_name = _cairo_malloc (len + 1);
if (unlikely (font->ps_name == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -1858,7 +1858,7 @@ cairo_cff_font_create_cid_fontdict (cairo_cff_font_t *font)
cairo_status_t status;
font->num_fontdicts = 1;
font->fd_dict = malloc (sizeof (cairo_hash_table_t *));
font->fd_dict = _cairo_malloc (sizeof (cairo_hash_table_t *));
if (unlikely (font->fd_dict == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -1869,11 +1869,11 @@ cairo_cff_font_create_cid_fontdict (cairo_cff_font_t *font)
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
}
font->fd_subset_map = malloc (sizeof (int));
font->fd_subset_map = _cairo_malloc (sizeof (int));
if (unlikely (font->fd_subset_map == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
font->private_dict_offset = malloc (sizeof (int));
font->private_dict_offset = _cairo_malloc (sizeof (int));
if (unlikely (font->private_dict_offset == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -1968,7 +1968,7 @@ cairo_cff_font_subset_font (cairo_cff_font_t *font)
if (unlikely (status))
return status;
} else {
font->private_dict_offset = malloc (sizeof (int));
font->private_dict_offset = _cairo_malloc (sizeof (int));
if (unlikely (font->private_dict_offset == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
}
......@@ -2560,7 +2560,7 @@ cairo_cff_font_generate (cairo_cff_font_t *font,
/* If the PS name is not found, create a CairoFont-x-y name. */
if (font->ps_name == NULL) {
font->ps_name = malloc (30);
font->ps_name = _cairo_malloc (30);
if (unlikely (font->ps_name == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -2710,7 +2710,7 @@ _cairo_cff_font_load_opentype_cff (cairo_cff_font_t *font)
font->is_opentype = TRUE;
font->data_length = data_length;
font->data = malloc (data_length);
font->data = _cairo_malloc (data_length);
if (unlikely (font->data == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -2745,7 +2745,7 @@ _cairo_cff_font_load_cff (cairo_cff_font_t *font)
font->font_name = NULL;
font->is_opentype = FALSE;
font->data_length = data_length;
font->data = malloc (data_length);
font->data = _cairo_malloc (data_length);
if (unlikely (font->data == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -2981,7 +2981,7 @@ _cairo_cff_subset_init (cairo_cff_subset_t *cff_subset,
cff_subset->ascent = (double)font->ascent/font->units_per_em;
cff_subset->descent = (double)font->descent/font->units_per_em;
cff_subset->data = malloc (length);
cff_subset->data = _cairo_malloc (length);
if (unlikely (cff_subset->data == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto fail4;
......@@ -3040,7 +3040,7 @@ _cairo_cff_scaled_font_is_cid_cff (cairo_scaled_font_t *scaled_font)
(status = backend->load_truetype_table (scaled_font, TT_TAG_CFF,
0, NULL, &data_length)) == CAIRO_INT_STATUS_SUCCESS)
{
data = malloc (data_length);
data = _cairo_malloc (data_length);
if (unlikely (data == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
return FALSE;
......@@ -3057,7 +3057,7 @@ _cairo_cff_scaled_font_is_cid_cff (cairo_scaled_font_t *scaled_font)
(status = backend->load_type1_data (scaled_font,
0, NULL, &data_length)) == CAIRO_INT_STATUS_SUCCESS)
{
data = malloc (data_length);
data = _cairo_malloc (data_length);
if (unlikely (data == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
return FALSE;
......@@ -3130,7 +3130,7 @@ _cairo_cff_font_fallback_create (cairo_scaled_font_subset_t *scaled_font_subset
cairo_status_t status;
cairo_cff_font_t *font;
font = malloc (sizeof (cairo_cff_font_t));
font = _cairo_malloc (sizeof (cairo_cff_font_t));
if (unlikely (font == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -3316,7 +3316,7 @@ cairo_cff_font_fallback_generate (cairo_cff_font_t *font,
if (unlikely (status))
return status;
} else {
font->private_dict_offset = malloc (sizeof (int));
font->private_dict_offset = _cairo_malloc (sizeof (int));
if (unlikely (font->private_dict_offset == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
}
......@@ -3393,7 +3393,7 @@ _cairo_cff_fallback_init (cairo_cff_subset_t *cff_subset,
cff_subset->ascent = (double)type2_subset.y_max/1000;
cff_subset->descent = (double)type2_subset.y_min/1000;
cff_subset->data = malloc (length);
cff_subset->data = _cairo_malloc (length);
if (unlikely (cff_subset->data == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto fail4;
......
......@@ -465,7 +465,7 @@ _pool_chunk_create(struct pool *pool, size_t size)
{
struct _pool_chunk *p;
p = malloc(size + sizeof(struct _pool_chunk));
p = _cairo_malloc (size + sizeof(struct _pool_chunk));
if (unlikely (NULL == p))
longjmp (*pool->jmp, _cairo_error (CAIRO_STATUS_NO_MEMORY));
......
......@@ -62,7 +62,7 @@ _cairo_clip_path_create (cairo_clip_t *clip)
clip_path = _freed_pool_get (&clip_path_pool);
if (unlikely (clip_path == NULL)) {
clip_path = malloc (sizeof (cairo_clip_path_t));
clip_path = _cairo_malloc (sizeof (cairo_clip_path_t));
if (unlikely (clip_path == NULL))
return NULL;
}
......@@ -108,7 +108,7 @@ _cairo_clip_create (void)
clip = _freed_pool_get (&clip_pool);
if (unlikely (clip == NULL)) {
clip = malloc (sizeof (cairo_clip_t));
clip = _cairo_malloc (sizeof (cairo_clip_t));
if (unlikely (clip == NULL))
return NULL;
}
......@@ -735,7 +735,7 @@ _cairo_rectangle_list_create_in_error (cairo_status_t status)
if (status == CAIRO_STATUS_CLIP_NOT_REPRESENTABLE)
return (cairo_rectangle_list_t*) &_cairo_rectangles_not_representable;
list = malloc (sizeof (*list));
list = _cairo_malloc (sizeof (*list));
if (unlikely (list == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
return (cairo_rectangle_list_t*) &_cairo_rectangles_nil;
......@@ -795,7 +795,7 @@ _cairo_clip_copy_rectangle_list (cairo_clip_t *clip, cairo_gstate_t *gstate)
}
DONE:
list = malloc (sizeof (cairo_rectangle_list_t));
list = _cairo_malloc (sizeof (cairo_rectangle_list_t));
if (unlikely (list == NULL)) {
free (rectangles);
return ERROR_LIST (CAIRO_STATUS_NO_MEMORY);
......
......@@ -755,7 +755,7 @@ _cairo_cogl_context_create (void *target)
cr = _freed_pool_get (&context_pool);
if (unlikely (cr == NULL)) {
cr = malloc (sizeof (cairo_cogl_context_t));
cr = _cairo_malloc (sizeof (cairo_cogl_context_t));
if (unlikely (cr == NULL))
return _cairo_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
}
......
......@@ -397,7 +397,7 @@ _cairo_cogl_get_linear_gradient (cairo_cogl_device_t *device,
}
if (!gradient) {
gradient = malloc (sizeof (cairo_cogl_linear_gradient_t) +
gradient = _cairo_malloc (sizeof (cairo_cogl_linear_gradient_t) +
sizeof (cairo_gradient_stop_t) * (n_stops - 1));
if (!gradient)
return CAIRO_INT_STATUS_NO_MEMORY;
......@@ -413,7 +413,7 @@ _cairo_cogl_get_linear_gradient (cairo_cogl_device_t *device,
} else
_cairo_cogl_linear_gradient_reference (gradient);
entry = malloc (sizeof (cairo_cogl_linear_texture_entry_t));
entry = _cairo_malloc (sizeof (cairo_cogl_linear_texture_entry_t));
if (!entry) {
status = CAIRO_INT_STATUS_NO_MEMORY;
goto BAIL;
......
......@@ -1994,7 +1994,7 @@ _cairo_cogl_get_path_stroke_meta (cairo_cogl_surface_t *surface,
CAIRO_REFERENCE_COUNT_INIT (&meta->ref_count, 1);
meta->cache_entry.hash = hash;
meta->counter = 0;
meta_path = malloc (sizeof (cairo_path_fixed_t));
meta_path = _cairo_malloc (sizeof (cairo_path_fixed_t));
if (!meta_path)
goto BAIL;
/* FIXME: we should add a ref-counted wrapper for our user_paths
......@@ -2248,7 +2248,7 @@ _cairo_cogl_get_path_fill_meta (cairo_cogl_surface_t *surface)
meta->cache_entry.hash = hash;
meta->counter = 0;
CAIRO_REFERENCE_COUNT_INIT (&meta->ref_count, 1);
meta_path = malloc (sizeof (cairo_path_fixed_t));
meta_path = _cairo_malloc (sizeof (cairo_path_fixed_t));
if (!meta_path)
goto BAIL;
/* FIXME: we should add a ref-counted wrapper for our user_paths
......@@ -2504,7 +2504,7 @@ _cairo_cogl_surface_create_full (cairo_cogl_device_t *dev,
if (unlikely (status))
return _cairo_surface_create_in_error (status);
surface = malloc (sizeof (cairo_cogl_surface_t));
surface = _cairo_malloc (sizeof (cairo_cogl_surface_t));
if (unlikely (surface == NULL))
return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
......
......@@ -51,7 +51,7 @@ _cairo_damage_create (void)
{
cairo_damage_t *damage;
damage = malloc (sizeof (*damage));
damage = _cairo_malloc (sizeof (*damage));
if (unlikely (damage == NULL)) {
_cairo_error_throw(CAIRO_STATUS_NO_MEMORY);
return (cairo_damage_t *) &__cairo_damage__nil;
......@@ -122,7 +122,7 @@ _cairo_damage_add_boxes(cairo_damage_t *damage,
if (size < count)
size = (count + 64) & ~63;
chunk = malloc (sizeof (*chunk) + sizeof (cairo_box_t) * size);
chunk = _cairo_malloc (sizeof (*chunk) + sizeof (cairo_box_t) * size);
if (unlikely (chunk == NULL)) {
_cairo_damage_destroy (damage);
return (cairo_damage_t *) &__cairo_damage__nil;
......@@ -210,7 +210,7 @@ _cairo_damage_reduce (cairo_damage_t *damage)
boxes = damage->tail->base;
if (damage->dirty > damage->tail->size) {
boxes = free_boxes = malloc (damage->dirty * sizeof (cairo_box_t));
boxes = free_boxes = _cairo_malloc (damage->dirty * sizeof (cairo_box_t));
if (unlikely (boxes == NULL)) {
_cairo_damage_destroy (damage);
return (cairo_damage_t *) &__cairo_damage__nil;
......
......@@ -1481,7 +1481,7 @@ _cairo_default_context_create (void *target)
cr = _freed_pool_get (&context_pool);
if (unlikely (cr == NULL)) {
cr = malloc (sizeof (cairo_default_context_t));
cr = _cairo_malloc (sizeof (cairo_default_context_t));
if (unlikely (cr == NULL))
return _cairo_create_in_error (_cairo_error (CAIRO_STATUS_NO_MEMORY));
}
......
......@@ -124,7 +124,7 @@ _cairo_deflate_stream_create (cairo_output_stream_t *output)
if (output->status)
return _cairo_output_stream_create_in_error (output->status);
stream = malloc (sizeof (cairo_deflate_stream_t));
stream = _cairo_malloc (sizeof (cairo_deflate_stream_t));
if (unlikely (stream == NULL)) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_output_stream_t *) &_cairo_output_stream_nil;
......
......@@ -288,7 +288,7 @@ twin_font_face_create_properties (cairo_font_face_t *twin_face)
{
twin_face_properties_t *props;
props = malloc (sizeof (twin_face_properties_t));
props = _cairo_malloc (sizeof (twin_face_properties_t));
if (unlikely (props == NULL))
return NULL;
......@@ -412,7 +412,7 @@ twin_scaled_font_compute_properties (cairo_scaled_font_t *scaled_font,
cairo_status_t status;
twin_scaled_properties_t *props;
props = malloc (sizeof (twin_scaled_properties_t));
props = _cairo_malloc (sizeof (twin_scaled_properties_t));
if (unlikely (props == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......
......@@ -109,7 +109,7 @@ cairo_font_options_create (void)
{
cairo_font_options_t *options;
options = malloc (sizeof (cairo_font_options_t));
options = _cairo_malloc (sizeof (cairo_font_options_t));
if (!options) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_font_options_t *) &_cairo_font_options_nil;
......@@ -143,7 +143,7 @@ cairo_font_options_copy (const cairo_font_options_t *original)
if (cairo_font_options_status ((cairo_font_options_t *) original))
return (cairo_font_options_t *) &_cairo_font_options_nil;
options = malloc (sizeof (cairo_font_options_t));
options = _cairo_malloc (sizeof (cairo_font_options_t));
if (!options) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_font_options_t *) &_cairo_font_options_nil;
......
......@@ -61,7 +61,7 @@ _cairo_freelist_alloc (cairo_freelist_t *freelist)
return node;
}
return malloc (freelist->nodesize);
return _cairo_malloc (freelist->nodesize);
}
void *
......@@ -139,7 +139,7 @@ _cairo_freepool_alloc_from_new_pool (cairo_freepool_t *freepool)
else
poolsize = (128 * freepool->nodesize + 8191) & -8192;
pool = malloc (sizeof (cairo_freelist_pool_t) + poolsize);
pool = _cairo_malloc (sizeof (cairo_freelist_pool_t) + poolsize);
if (unlikely (pool == NULL))
return pool;
......
......@@ -300,7 +300,7 @@ _cairo_ft_unscaled_font_map_create (void)
* detect some other call path. */
assert (cairo_ft_unscaled_font_map == NULL);
font_map = malloc (sizeof (cairo_ft_unscaled_font_map_t));
font_map = _cairo_malloc (sizeof (cairo_ft_unscaled_font_map_t));
if (unlikely (font_map == NULL))
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......@@ -563,7 +563,7 @@ _cairo_ft_unscaled_font_create_internal (cairo_bool_t from_face,
}
/* Otherwise create it and insert into hash table. */
unscaled = malloc (sizeof (cairo_ft_unscaled_font_t));
unscaled = _cairo_malloc (sizeof (cairo_ft_unscaled_font_t));
if (unlikely (unscaled == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto UNWIND_FONT_MAP_LOCK;
......@@ -2015,7 +2015,7 @@ _cairo_ft_font_face_scaled_font_create (void *abstract_font_face,
if (unlikely (face == NULL)) /* backend error */
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
scaled_font = malloc (sizeof (cairo_ft_scaled_font_t));
scaled_font = _cairo_malloc (sizeof (cairo_ft_scaled_font_t));
if (unlikely (scaled_font == NULL)) {
status = _cairo_error (CAIRO_STATUS_NO_MEMORY);
goto FAIL;
......@@ -3247,7 +3247,7 @@ _cairo_ft_font_face_create_for_pattern (FcPattern *pattern)
{
cairo_ft_font_face_t *font_face;
font_face = malloc (sizeof (cairo_ft_font_face_t));
font_face = _cairo_malloc (sizeof (cairo_ft_font_face_t));
if (unlikely (font_face == NULL)) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_font_face_t *) &_cairo_font_face_nil;
......@@ -3309,7 +3309,7 @@ _cairo_ft_font_face_create (cairo_ft_unscaled_font_t *unscaled,
}
/* No match found, create a new one */
font_face = malloc (sizeof (cairo_ft_font_face_t));
font_face = _cairo_malloc (sizeof (cairo_ft_font_face_t));
if (unlikely (!font_face)) {
_cairo_error_throw (CAIRO_STATUS_NO_MEMORY);
return (cairo_font_face_t *)&_cairo_font_face_nil;
......
......@@ -307,7 +307,7 @@ _cairo_gl_context_init (cairo_gl_context_t *ctx)
ctx->vbo_size = _cairo_gl_get_vbo_size();
ctx->vb = malloc (ctx->vbo_size);
ctx->vb = _cairo_malloc (ctx->vbo_size);
if (unlikely (ctx->vb == NULL)) {
_cairo_cache_fini (&ctx->gradients);
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......
......@@ -248,7 +248,7 @@ _cairo_gl_gradient_create (cairo_gl_context_t *ctx,
return CAIRO_STATUS_SUCCESS;
}
gradient = malloc (sizeof (cairo_gl_gradient_t) + sizeof (cairo_gradient_stop_t) * (n_stops - 1));
gradient = _cairo_malloc (sizeof (cairo_gl_gradient_t) + sizeof (cairo_gradient_stop_t) * (n_stops - 1));
if (gradient == NULL)
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......
......@@ -1060,7 +1060,7 @@ _cairo_gl_get_shader_by_type (cairo_gl_context_t *ctx,
if (unlikely (status))
return status;
entry = malloc (sizeof (cairo_shader_cache_entry_t));
entry = _cairo_malloc (sizeof (cairo_shader_cache_entry_t));
if (unlikely (entry == NULL)) {
free (fs_source);
return _cairo_error (CAIRO_STATUS_NO_MEMORY);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment