[cairo] insufficient checking
Submitted by Owen Taylor
Link to original bug (#623331)
Description
May be missing something here, but e.g.
if (!gjs_parse_args(context, "setSource", "o", argc, argv,
"pattern", &pattern_wrapper))
return JS_FALSE;
pattern = gjs_cairo_pattern_get_pattern(context, pattern_wrapper);
if (!pattern) {
gjs_throw(context, "first argument to setSource() should be a pattern");
return JS_FALSE;
}
As if gjs_cairo_pattern_get_pattern checked, but:
cairo_pattern_t *
gjs_cairo_pattern_get_pattern(JSContext *context,
JSObject *object)
{
GjsCairoPattern *priv;
g_return_val_if_fail(context != NULL, NULL);
g_return_val_if_fail(object != NULL, NULL);
priv = JS_GetPrivate(context, object);
if (priv == NULL)
return NULL;
return priv->pattern;
}
Looks like segfault city to me if I pass in the wrong type of object to context.setSource().
If gjs_cairo_pattern_get_pattern was using priv_from_js() I think it might work.