This svg
<svg /><path stroke-dasharray=""fill="url(# "id=""/>
Lead to two memory leaks like the following:
98 bytes in 98 blocks are definitely lost in loss record 2 of 11
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4EB8789: strdup (strdup.c:42)
by 0x493C450: save_graphics_state (cairo-svg-glyph-render.c:2894)
This happened because the value of gs->dash_array was replaced without
freeing the previous value. This commit adds the missing free and fixes
the leak.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54830
Signed-off-by: Uli Schlachter <psychon@znc.in>
The original check-def.sh called make. In meson, check-def.sh is
replaced by two shell scripts, one for generating cairo.def, the other
for comparing with the library symbols.
The library filename appended to the cairo.def has been omitted as
this is only reqired in autotools builds where the cairo.def is also
to generate cairo.dll in the windows build.
make-cairo-def.sh is based on the cairo.def target in Makefile.am.
meson-check-def.sh is based on check-def.sh
Inspired by [1], I looked into the other functions in
cairo-image-info.c. This commit fixes the possible out-of-bound reads
that I found just by staring at the code.
_jpx_next_box() would happily read beyond the end of the data via
get_unaligned_be32(). This commit adds checks that at least for bytes of
data are available.
Additionally, I made this function check that its returned pointer is
within bounds, just because I found this easier to reason about.
Also, _jpx_extract_info() did not check that it had enough data to read.
This is fixed by making the function fallible and giving it information
about the end of data.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/386
Signed-off-by: Uli Schlachter <psychon@znc.in>
The autotools build files are on their way out (See !298). As
preparation for dropping the autotools build, this commit switches CI to
run tests based on the meson build instead of the autotools one.
No functional changes intended.
Signed-off-by: Uli Schlachter <psychon@znc.in>
The check-refs.sh script detects duplicate reference images. This commit
adds it to be run by CI. For this, the script is extended with a proper
exit code.
Signed-off-by: Uli Schlachter <psychon@znc.in>
Running test/check-refs.sh reports:
redundant: arc-direction.pdf.ref.png and arc-direction.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.argb32.ref.png and big-little-triangle.argb32.ref.png are byte-by-byte identical files
redundant: big-little-triangle.traps.rgb24.ref.png and big-little-triangle.rgb24.ref.png are byte-by-byte identical files
redundant: clip-fill-rule.pdf.rgb24.ref.png and clip-fill-rule.rgb24.ref.png are byte-by-byte identical files
redundant: dash-offset-negative.pdf.ref.png and dash-offset-negative.ref.png are byte-by-byte identical files
redundant: font-matrix-translation.traps.ref.png and font-matrix-translation.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-positioning.traps.ref.png and ft-show-glyphs-positioning.ref.png are byte-by-byte identical files
redundant: ft-show-glyphs-table.traps.ref.png and ft-show-glyphs-table.ref.png are byte-by-byte identical files
redundant: glyph-cache-pressure.traps.ref.png and glyph-cache-pressure.ref.png are byte-by-byte identical files
redundant: inverse-text.traps.ref.png and inverse-text.ref.png are byte-by-byte identical files
redundant: line-width-large-overlap-offset.ps.ref.png and line-width-large-overlap-offset.ref.png are byte-by-byte identical files
redundant: partial-clip-text-right.traps.ref.png and partial-clip-text-right.ref.png are byte-by-byte identical files
redundant: partial-clip-text-top.traps.ref.png and partial-clip-text-top.ref.png are byte-by-byte identical files
redundant: record90-fill-alpha.pdf.ref.png and record90-fill-alpha.ref.png are byte-by-byte identical files
redundant: record90-paint-alpha-clip.quartz.ref.png and record90-paint-alpha-clip.ref.png are byte-by-byte identical files
redundant: record-fill-alpha.pdf.ref.png and record-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-fill-alpha.quartz.ref.png and recordflip-whole-fill-alpha.ref.png are byte-by-byte identical files
redundant: recordflip-whole-paint-alpha-clip-mask.quartz.ref.png and recordflip-whole-paint-alpha-clip-mask.ref.png are byte-by-byte identical files
redundant: record-mesh.ps.ref.png and record-mesh.ref.png are byte-by-byte identical files
redundant: select-font-face.traps.ref.png and select-font-face.ref.png are byte-by-byte identical files
redundant: show-glyphs-advance.traps.ref.png and show-glyphs-advance.ref.png are byte-by-byte identical files
redundant: show-text-current-point.traps.ref.png and show-text-current-point.ref.png are byte-by-byte identical files
redundant: text-antialias-gray.traps.ref.png and text-antialias-gray.ref.png are byte-by-byte identical files
This commit removes these redundant files.
Signed-off-by: Uli Schlachter <psychon@znc.in>
In a recent MR [1], Adrian Johnson writes:
For additional safety you could change the unsigned long to size_t
since long is 32-bits on Win64. The CFF spec says the offset size used
in decode_index_offset must be between 1 and 4 so you could range
check that to avoid overflowing the offset.
This commit implements exactly that.
[1]: https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/382#note_1700743
Signed-off-by: Uli Schlachter <psychon@znc.in>
While working on the previous commit, I noticed that nothing makes sure
that the entry points within the font data. Thus, this could easily
cause out-of-bounds reads.
This commit adds a suitable length check for this.
Signed-off-by: Uli Schlachter <psychon@znc.in>
I was looking at [1]. While trying to reproduce the problem that is
described there, valgrind reported:
Argument 'size' of function malloc has a fishy (possibly negative) value: -8
at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4B20E92: cairo_cff_font_read_name (cairo-cff-subset.c:895)
by 0x4B221AD: cairo_cff_font_read_font (cairo-cff-subset.c:1351)
by 0x4B24EF2: cairo_cff_font_generate (cairo-cff-subset.c:2587)
by 0x4B25EA3: _cairo_cff_subset_init (cairo-cff-subset.c:2979)
This commit is about fixing the above.
The function decode_index_offset() returns an unsigned long. This value
was cast to an "int" in cff_index_read(), leading to a possibility for
over/underflow. Also, nothing checked that an entry in the index table
had a non-zero length, leading to an entry with length -8 as reported by
valgrind.
Fix this by using "unsigned long" for the local variables and checking
the length to be non-negative.
With the above fixed, the original test case started crashing.
Apparently, cairo_cff_font_read_name() does not expect nor handle
failures from cff_index_read(). Thus, a check for this case was added to
make the new crash go away.
[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51324
Signed-off-by: Uli Schlachter <psychon@znc.in>
In _cairo_type3_glyph_surface_create(), we call
_cairo_surface_clipper_init(), but nothing ever called
_cairo_surface_clipper_reset() in this call. This commit adds that
missing call.
This fixes a leak of a clip.
Since I have no clue about this code (does _cairo_pdf_operators_fini()
possible use the clipper?), I did the patch like this. This should avoid
any possibility for a use-after-free.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51043
Signed-off-by: Uli Schlachter <psychon@znc.in>
