Running test/check-refs.sh reports:
redundant: arc-direction.pdf.ref.png and arc-direction.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.argb32.ref.png and big-little-triangle.argb32.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.rgb24.ref.png and big-little-triangle.rgb24.ref.png are byte-by-byte identical files
redundant: clip-fill-rule.pdf.rgb24.ref.png and clip-fill-rule.rgb24.ref.png are byte-by-byte identical files
redundant: dash-offset-negative.pdf.ref.png and dash-offset-negative.ref.png are byte-by-byte identical files
redundant: font-matrix-translation.traps.ref.png and font-matrix-translation.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-positioning.traps.ref.png and ft-show-glyphs-positioning.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-table.traps.ref.png and ft-show-glyphs-table.ref.png are byte-by-byte identical files
redundant: glyph-cache-pressure.traps.ref.png and glyph-cache-pressure.ref.png are byte-by-byte identical files
redundant: inverse-text.traps.ref.png and inverse-text.ref.png are byte-by-byte identical files
redundant: line-width-large-overlap-offset.ps.ref.png and line-width-large-overlap-offset.ref.png are byte-by-byte identical files
redundant: partial-clip-text-right.traps.ref.png and partial-clip-text-right.ref.png are byte-by-byte identical files
redundant: partial-clip-text-top.traps.ref.png and partial-clip-text-top.ref.png are byte-by-byte identical files
redundant: record90-fill-alpha.pdf.ref.png and record90-fill-alpha.ref.png are byte-by-byte identical files
redundant: record90-paint-alpha-clip.quartz.ref.png and record90-paint-alpha-clip.ref.png are byte-by-byte identical files
redundant: record-fill-alpha.pdf.ref.png and record-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-fill-alpha.quartz.ref.png and recordflip-whole-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-paint-alpha-clip-mask.quartz.ref.png and recordflip-whole-paint-alpha-clip-mask.ref.png are byte-by-byte identical files
redundant: record-mesh.ps.ref.png and record-mesh.ref.png are byte-by-byte identical files
redundant: select-font-face.traps.ref.png and select-font-face.ref.png are byte-by-byte identical files
redundant: show-glyphs-advance.traps.ref.png and show-glyphs-advance.ref.png are byte-by-byte identical files
redundant: show-text-current-point.traps.ref.png and show-text-current-point.ref.png are byte-by-byte identical files
redundant: text-antialias-gray.traps.ref.png and text-antialias-gray.ref.png are byte-by-byte identical files
This commit removes these redundant files.
Signed-off-by: Uli Schlachter <psychon@znc.in>
In a recent MR [1], Adrian Johnson writes:
For additional safety you could change the unsigned long to size_t
since long is 32-bits on Win64. The CFF spec says the offset size used
in decode_index_offset must be between 1 and 4 so you could range
check that to avoid overflowing the offset.
This commit implements exactly that.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
Signed-off-by: Uli Schlachter <psychon@znc.in>
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
I was looking at [1]. While trying to reproduce the problem that is
described there, valgrind reported:
Argument 'size' of function malloc has a fishy (possibly negative) value: -8
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895)
by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587)
by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979)
This commit is about fixing the above.
The function decode_index_offset() returns an unsigned long. This value
was cast to an "int" in cff_index_read(), leading to a possibility for
over/underflow. Also, nothing checked that an entry in the index table
had a non-zero length, leading to an entry with length -8 as reported by
valgrind.
Fix this by using "unsigned long" for the local variables and checking
the length to be non-negative.
With the above fixed, the original test case started crashing.
Apparently, cairo_cff_font_read_name() does not expect nor handle
failures from cff_index_read(). Thus, a check for this case was added to
make the new crash go away.
[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324
Signed-off-by: Uli Schlachter <psychon@znc.in>
In _cairo_type3_glyph_surface_create(), we call
_cairo_surface_clipper_init(), but nothing ever called
_cairo_surface_clipper_reset() in this call. This commit adds that
missing call.
This fixes a leak of a clip.
Since I have no clue about this code (does _cairo_pdf_operators_fini()
possible use the clipper?), I did the patch like this. This should avoid
any possibility for a use-after-free.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51043
Signed-off-by: Uli Schlachter <psychon@znc.in>
According to valgrind, there is a use-after-free here. The function
_cairo_ps_surface_emit_surface() temporarily replaces some member of a
struct and then later re-sets it. However, there is an early return
possible that would skip that part of the code.
This commit moves the re-set up so that no freed pointers are left
behind. This seems to fix the crash.
Signed-off-by: Uli Schlachter <psychon@znc.in>
This adds the necessary dependencies for testing cairo-ps to CI and sets
up jobs for testing the ps2 and ps3 backends.
Signed-off-by: Uli Schlachter <psychon@znc.in>
