The original check-def.sh called make. In meson, check-def.sh is
replaced by two shell scripts, one for generating cairo.def, the other
for comparing with the library symbols.
The library filename appended to the cairo.def has been omitted as
this is only reqired in autotools builds where the cairo.def is also
to generate cairo.dll in the windows build.
make-cairo-def.sh is based on the cairo.def target in Makefile.am.
meson-check-def.sh is based on check-def.sh
Inspired by [1], I looked into the other functions in
cairo-image-info.c. This commit fixes the possible out-of-bound reads
that I found just by staring at the code.
_jpx_next_box() would happily read beyond the end of the data via
get_unaligned_be32(). This commit adds checks that at least for bytes of
data are available.
Additionally, I made this function check that its returned pointer is
within bounds, just because I found this easier to reason about.
Also, _jpx_extract_info() did not check that it had enough data to read.
This is fixed by making the function fallible and giving it information
about the end of data.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/386
Signed-off-by: Uli Schlachter <psychon@znc.in>
The autotools build files are on their way out (See !298). As
preparation for dropping the autotools build, this commit switches CI to
run tests based on the meson build instead of the autotools one.
No functional changes intended.
Signed-off-by: Uli Schlachter <psychon@znc.in>
The check-refs.sh script detects duplicate reference images. This commit
adds it to be run by CI. For this, the script is extended with a proper
exit code.
Signed-off-by: Uli Schlachter <psychon@znc.in>
Running test/check-refs.sh reports:
redundant: arc-direction.pdf.ref.png and arc-direction.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.argb32.ref.png and big-little-triangle.argb32.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.rgb24.ref.png and big-little-triangle.rgb24.ref.png are byte-by-byte identical files
redundant: clip-fill-rule.pdf.rgb24.ref.png and clip-fill-rule.rgb24.ref.png are byte-by-byte identical files
redundant: dash-offset-negative.pdf.ref.png and dash-offset-negative.ref.png are byte-by-byte identical files
redundant: font-matrix-translation.traps.ref.png and font-matrix-translation.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-positioning.traps.ref.png and ft-show-glyphs-positioning.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-table.traps.ref.png and ft-show-glyphs-table.ref.png are byte-by-byte identical files
redundant: glyph-cache-pressure.traps.ref.png and glyph-cache-pressure.ref.png are byte-by-byte identical files
redundant: inverse-text.traps.ref.png and inverse-text.ref.png are byte-by-byte identical files
redundant: line-width-large-overlap-offset.ps.ref.png and line-width-large-overlap-offset.ref.png are byte-by-byte identical files
redundant: partial-clip-text-right.traps.ref.png and partial-clip-text-right.ref.png are byte-by-byte identical files
redundant: partial-clip-text-top.traps.ref.png and partial-clip-text-top.ref.png are byte-by-byte identical files
redundant: record90-fill-alpha.pdf.ref.png and record90-fill-alpha.ref.png are byte-by-byte identical files
redundant: record90-paint-alpha-clip.quartz.ref.png and record90-paint-alpha-clip.ref.png are byte-by-byte identical files
redundant: record-fill-alpha.pdf.ref.png and record-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-fill-alpha.quartz.ref.png and recordflip-whole-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-paint-alpha-clip-mask.quartz.ref.png and recordflip-whole-paint-alpha-clip-mask.ref.png are byte-by-byte identical files
redundant: record-mesh.ps.ref.png and record-mesh.ref.png are byte-by-byte identical files
redundant: select-font-face.traps.ref.png and select-font-face.ref.png are byte-by-byte identical files
redundant: show-glyphs-advance.traps.ref.png and show-glyphs-advance.ref.png are byte-by-byte identical files
redundant: show-text-current-point.traps.ref.png and show-text-current-point.ref.png are byte-by-byte identical files
redundant: text-antialias-gray.traps.ref.png and text-antialias-gray.ref.png are byte-by-byte identical files
This commit removes these redundant files.
Signed-off-by: Uli Schlachter <psychon@znc.in>
In a recent MR [1], Adrian Johnson writes:
For additional safety you could change the unsigned long to size_t
since long is 32-bits on Win64. The CFF spec says the offset size used
in decode_index_offset must be between 1 and 4 so you could range
check that to avoid overflowing the offset.
This commit implements exactly that.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
Signed-off-by: Uli Schlachter <psychon@znc.in>
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
I was looking at [1]. While trying to reproduce the problem that is
described there, valgrind reported:
Argument 'size' of function malloc has a fishy (possibly negative) value: -8
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895)
by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587)
by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979)
This commit is about fixing the above.
The function decode_index_offset() returns an unsigned long. This value
was cast to an "int" in cff_index_read(), leading to a possibility for
over/underflow. Also, nothing checked that an entry in the index table
had a non-zero length, leading to an entry with length -8 as reported by
valgrind.
Fix this by using "unsigned long" for the local variables and checking
the length to be non-negative.
With the above fixed, the original test case started crashing.
Apparently, cairo_cff_font_read_name() does not expect nor handle
failures from cff_index_read(). Thus, a check for this case was added to
make the new crash go away.
[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324
Signed-off-by: Uli Schlachter <psychon@znc.in>
In _cairo_type3_glyph_surface_create(), we call
_cairo_surface_clipper_init(), but nothing ever called
_cairo_surface_clipper_reset() in this call. This commit adds that
missing call.
This fixes a leak of a clip.
Since I have no clue about this code (does _cairo_pdf_operators_fini()
possible use the clipper?), I did the patch like this. This should avoid
any possibility for a use-after-free.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51043
Signed-off-by: Uli Schlachter <psychon@znc.in>
This commit changes the height of the coverage-column-triangles test by
using a smaller height for the test. Previously the image was 40 pixels
in height and the test took 517 seconds for me. Now, the image has a
height of 4 pixels and the test takes 55 seconds.
This is possible since column_triangles() does the same thing for each y
coordinate. Thus, previously this test just did the same thing 40 times.
Times are measured with the backends I happened to have enabled locally:
script, xcb, xlib, image, recording.
Thanks a lot to Christian Rohlfs for coming up with this idea in
https://gitlab.freedesktop.org/cairo/cairo/-/issues/498#note_1700197
Possibly-fixes: https://gitlab.freedesktop.org/cairo/cairo/-/issues/498
Signed-off-by: Uli Schlachter <psychon@znc.in>
The tests in coverage.c have #defines for WIDTH and HEIGHT, but also
have function arguments for these numbers. This commit changes the tests
to use the function arguments instead of the defines.
One complication is the rhombus test that already had a factor 2 between
these two numbers. A new variable is added to get back the previous
value.
Signed-off-by: Uli Schlachter <psychon@znc.in>
According to valgrind, there is a use-after-free here. The function
_cairo_ps_surface_emit_surface() temporarily replaces some member of a
struct and then later re-sets it. However, there is an early return
possible that would skip that part of the code.
This commit moves the re-set up so that no freed pointers are left
behind. This seems to fix the crash.
Signed-off-by: Uli Schlachter <psychon@znc.in>
This adds the necessary dependencies for testing cairo-ps to CI and sets
up jobs for testing the ps2 and ps3 backends.
Signed-off-by: Uli Schlachter <psychon@znc.in>
