fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-05-08 17:18:42 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix a NULL access in active_edges_to_traps().

Browse source 
The bentley-ottmann tessellation implementation uses
an x of INT32_MAX as a sentinel.
If a rectangle has an x of INT32_MAX, active_edges_to_traps()
can read past the end of the edge list when building trapezoids.
This patch reduces an x of INT32_MAX to INT32_MAX-1.
This avoids the crash in https://gitlab.freedesktop.org/poppler/poppler/-/issues/1579
This is an alternative to the patch in https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/620
that adds a check for NULL pointers when traversing the edge list.

Edit by Uli: This fixes the crash in bug-crash-tessellate-pdf.
This commit is contained in:
William Bader 2025-04-28 05:01:45 +02:00 committed by Uli Schlachter
parent 1cecfd7203
commit 9aaa95f248
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/cairo-bentley-ottmann-rectangular.c
View file

@ -847,6 +847,8 @@ _cairo_bentley_ottmann_tessellate_boxes (const cairo_boxes_t *in,
rectangles[j].left.x = box[i].p2.x;
rectangles[j].left.dir = -1;
}
if (rectangles[j].left.x == INT32_MAX) rectangles[j].left.x = INT32_MAX-1;
if (rectangles[j].right.x == INT32_MAX) rectangles[j].right.x = INT32_MAX-1;
rectangles[j].left.right = NULL;
rectangles[j].right.right = NULL;