From 02d97689579efa5de67e8bb29663e59548524218 Mon Sep 17 00:00:00 2001 From: Jonathan Kew Date: Tue, 1 Nov 2022 15:00:27 +0000 Subject: [PATCH] Avoid potential null-deref in active_edges() This fixes a crash found by a fuzzer-generated testcase in Firefox where the `right` pointer is null; see https://bugzilla.mozilla.org/show_bug.cgi?id=1797103. Unfortunately I don't have a simple/standalone test that reaches this, and am not really sure if this is the right way to fix, or if something went wrong earlier leaving the polygons in an unexpected state, but this at least resolves the observed crash. It shouldn't change behavior for any currently-working case, because it only affects the case where we're otherwise about to crash. --- src/cairo-polygon-intersect.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/cairo-polygon-intersect.c b/src/cairo-polygon-intersect.c index 001e55ee0..6da16fad4 100644 --- a/src/cairo-polygon-intersect.c +++ b/src/cairo-polygon-intersect.c @@ -1158,7 +1158,7 @@ active_edges (cairo_bo_edge_t *left, if (! is_zero (winding)) break; - if unlikely ((left->deferred.other)) + if (unlikely (left->deferred.other)) edges_end (left, top, polygon); left = left->next; @@ -1168,7 +1168,10 @@ active_edges (cairo_bo_edge_t *left, right = left->next; do { - if unlikely ((right->deferred.other)) + if (! right) + return; + + if (unlikely (right->deferred.other)) edges_end (right, top, polygon); winding[right->a_or_b] += right->edge.dir;