[prev in list] [next in list] [prev in thread] [next in thread]
List: cairo-bugs
Subject: [cairo-bugs] [Bug 75819] New: _cairo_clip_set_all_clipped returns const value as non-const, caller m
From: bugzilla-daemon () freedesktop ! org
Date: 2014-03-06 3:32:46
Message-ID: bug-75819-4039 () http ! bugs ! freedesktop ! org/
[Download RAW message or body]
--1394076767.F3FDAb11.2761
Date: Thu, 6 Mar 2014 03:32:47 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
https://bugs.freedesktop.org/show_bug.cgi?id=75819
Priority: medium
Bug ID: 75819
Assignee: chris@chris-wilson.co.uk
Summary: _cairo_clip_set_all_clipped returns const value as
non-const, caller modifies it -> crash on some
platforms
QA Contact: cairo-bugs@cairographics.org
Severity: normal
Classification: Unclassified
OS: All
Reporter: andrew-freedesktop@gizmolabs.org
Hardware: All
Status: NEW
Version: unspecified
Component: general
Product: cairo
This bug was originally filed as part of poppler, but it seems to be a cairo
issue: https://bugs.freedesktop.org/show_bug.cgi?id=74661
Here are the relevant code snippets:
> > > > cairo-clip.c: (on some platforms, this will be allocated to a read-only page \
> > > > of memory)
const cairo_clip_t __cairo_clip_all;
> > > > cairo-clip-inline.h: (returning __cairo_clip_all as non-const! uh oh...)
static inline cairo_clip_t *
_cairo_clip_set_all_clipped (cairo_clip_t *clip)
{
_cairo_clip_destroy (clip);
return (cairo_clip_t *) &__cairo_clip_all;
}
> > > > cairo-clip-boxes.c: (mutate __cairo_clip_all -> CRASH!)
static cairo_clip_t *
_cairo_clip_intersect_rectangle_box (cairo_clip_t *clip,
const cairo_rectangle_int_t *r,
const cairo_box_t *box)
{
...
clip = _cairo_clip_set_all_clipped (clip);
...
clip->is_region = _cairo_box_is_pixel_aligned (box);
^^^^^^^^^^^^^^^ bad write
...
}
I'm not a cairo expert by any stretch of the imagination, so I don't know the
solution here. My gut reaction is to make the memory non-const so that it
doesn't crash; that should at least work as well as systems where this doesn't
crash. Still, it seems like someone who knows this code could see if there's a
better solution.
Thanks,
-andrew
--
You are receiving this mail because:
You are the QA Contact for the bug.
--1394076767.F3FDAb11.2761
Date: Thu, 6 Mar 2014 03:32:47 +0000
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
<html>
<head>
<base href="https://bugs.freedesktop.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Priority</th>
<td>medium
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - _cairo_clip_set_all_clipped returns const value as non-const, \
caller modifies it -> crash on some platforms" \
href="https://bugs.freedesktop.org/show_bug.cgi?id=75819">75819</a> </td>
</tr>
<tr>
<th>Assignee</th>
<td>chris@chris-wilson.co.uk
</td>
</tr>
<tr>
<th>Summary</th>
<td>_cairo_clip_set_all_clipped returns const value as non-const, caller \
modifies it -> crash on some platforms </td>
</tr>
<tr>
<th>QA Contact</th>
<td>cairo-bugs@cairographics.org
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Reporter</th>
<td>andrew-freedesktop@gizmolabs.org
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Component</th>
<td>general
</td>
</tr>
<tr>
<th>Product</th>
<td>cairo
</td>
</tr></table>
<p>
<div>
<pre>This bug was originally filed as part of poppler, but it seems to be a \
cairo
issue: <a class="bz_bug_link
bz_status_NEW "
title="NEW --- - pdftocairo -jpeg gives Bus error: 10"
href="show_bug.cgi?id=74661">https://bugs.freedesktop.org/show_bug.cgi?id=74661</a>
Here are the relevant code snippets:
<span class="quote">>>>> cairo-clip.c: (on some platforms, this will be \
allocated to a read-only page of memory)</span >
const cairo_clip_t __cairo_clip_all;
<span class="quote">>>>> cairo-clip-inline.h: (returning __cairo_clip_all \
as non-const! uh oh...)</span >
static inline cairo_clip_t *
_cairo_clip_set_all_clipped (cairo_clip_t *clip)
{
_cairo_clip_destroy (clip);
return (cairo_clip_t *) &__cairo_clip_all;
}
<span class="quote">>>>> cairo-clip-boxes.c: (mutate __cairo_clip_all \
-> CRASH!)</span >
static cairo_clip_t *
_cairo_clip_intersect_rectangle_box (cairo_clip_t *clip,
const cairo_rectangle_int_t *r,
const cairo_box_t *box)
{
...
clip = _cairo_clip_set_all_clipped (clip);
...
clip->is_region = _cairo_box_is_pixel_aligned (box);
^^^^^^^^^^^^^^^ bad write
...
}
I'm not a cairo expert by any stretch of the imagination, so I don't know the
solution here. My gut reaction is to make the memory non-const so that it
doesn't crash; that should at least work as well as systems where this doesn't
crash. Still, it seems like someone who knows this code could see if there's a
better solution.
Thanks,
-andrew</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
</ul>
</body>
</html>
--1394076767.F3FDAb11.2761--
_______________________________________________
cairo-bugs mailing list
cairo-bugs@lists.cairographics.org
http://lists.cairographics.org/mailman/listinfo/cairo-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic