fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-05-08 10:18:02 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Avoid potential null-deref in active_edges()

Browse source 
This fixes a crash found by a fuzzer-generated testcase in Firefox where the `right` pointer is null; see https://bugzilla.mozilla.org/show_bug.cgi?id=1797103. Unfortunately I don't have a simple/standalone test that reaches this, and am not really sure if this is the right way to fix, or if something went wrong earlier leaving the polygons in an unexpected state, but this at least resolves the observed crash.

It shouldn't change behavior for any currently-working case, because it only affects the case where we're otherwise about to crash.
This commit is contained in:
Jonathan Kew 2022-11-01 15:00:27 +00:00 committed by Jonathan Kew
parent 8f1190dc82
commit 02d9768957
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/cairo-polygon-intersect.c
View file

@ -1158,7 +1158,7 @@ active_edges (cairo_bo_edge_t *left,
if (! is_zero (winding))
break;
if unlikely ((left->deferred.other))
if (unlikely (left->deferred.other))
edges_end (left, top, polygon);
left = left->next;
@ -1168,7 +1168,10 @@ active_edges (cairo_bo_edge_t *left,
right = left->next;
do {
if unlikely ((right->deferred.other))
if (! right)
return;
if (unlikely (right->deferred.other))
edges_end (right, top, polygon);
winding[right->a_or_b] += right->edge.dir;