From b57526185d60b3e36bb0f6684cc0ae9ac2294972 Mon Sep 17 00:00:00 2001 From: William Bader Date: Mon, 28 Apr 2025 05:01:45 +0200 Subject: [PATCH 1/2] Fix a NULL access in active_edges_to_traps(). The bentley-ottmann tessellation implementation uses an x of INT32_MAX as a sentinel. If a rectangle has an x of INT32_MAX, active_edges_to_traps() can read past the end of the edge list when building trapezoids. This patch reduces an x of INT32_MAX to INT32_MAX-1. This avoids the crash in https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 This is an alternative to the patch in https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/620 that adds a check for NULL pointers when traversing the edge list. --- src/cairo-bentley-ottmann-rectangular.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c index 65f95d797..be01e04f7 100644 --- a/src/cairo-bentley-ottmann-rectangular.c +++ b/src/cairo-bentley-ottmann-rectangular.c @@ -847,6 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in, rectangles[j].left.x = box[i].p2.x; rectangles[j].left.dir = -1; } + if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1; + if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1; rectangles[j].left.right = NULL; rectangles[j].right.right = NULL; From b9a3098830fa5e993ed9f82efd009aed9a00684d Mon Sep 17 00:00:00 2001 From: William Bader Date: Mon, 28 Apr 2025 05:34:39 +0200 Subject: [PATCH 2/2] Add unlikely() to test for x == INT32_MAX for the NULL reference in https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579 --- src/cairo-bentley-ottmann-rectangular.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c index be01e04f7..357d1a75f 100644 --- a/src/cairo-bentley-ottmann-rectangular.c +++ b/src/cairo-bentley-ottmann-rectangular.c @@ -847,8 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in, rectangles[j].left.x = box[i].p2.x; rectangles[j].left.dir = -1; } - if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1; - if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1; + if (unlikely (rectangles[j].left.x == INT32_MAX)) rectangles[j].left.x = INT32_MAX-1; + if (unlikely (rectangles[j].right.x == INT32_MAX)) rectangles[j].right.x = INT32_MAX-1; rectangles[j].left.right = NULL; rectangles[j].right.right = NULL;