Fuzz: Use-of-uninitialized-value in intersect (cairo-boxes-intersect.c:458)
Submitted by Atte Kettunen
Assigned to Federico Mena Quintero @federico
Link to original bug (#744404)
Description
Tested on:
OS: Ubuntu 14.04
librsvg from github @ commit 40033648
I'm not 100% sure if this is a librsvg or cairo issue, but anyway it can be triggered via rsvg-convert.
Reroducing file:
<svg s="h">
<defs>``<clipPath id="clipper">
</clipPath>``</defs>
</g>``<svg>
<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>
x<svg>``<svg>``<svg>
<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``<svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</svg>``</g>``</svg>
Valgrind report:
==21933== Memcheck, a memory error detector ==21933== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==21933== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==21933== Command: rsvg-convert heap-buffer-overflow-e18-58f-0de.svg -o /dev/null ==21933== ==21933== Use of uninitialised value of size 8 ==21933== at 0x52DD36C: intersect (cairo-boxes-intersect.c:458) ==21933== by 0x52DDB4E: _cairo_boxes_intersect (cairo-boxes-intersect.c:685) ==21933== by 0x52E18E1: _cairo_clip_intersect_boxes (cairo-clip-boxes.c:290) ==21933== by 0x52E1A4D: _cairo_clip_intersect_rectilinear_path (cairo-clip-boxes.c:145) ==21933== by 0x52E04AB: _cairo_clip_intersect_path (cairo-clip.c:261) ==21933== by 0x52EBC0A: _cairo_gstate_clip (cairo-gstate.c:1568) ==21933== by 0x52E5278: _cairo_default_context_clip (cairo-default-context.c:1100) ==21933== by 0x52DEC14: cairo_clip (cairo.c:2496) ==21933== by 0x4E60DE5: rsvg_cairo_clip (rsvg-cairo-clip.c:170) ==21933== by 0x4E5F398: rsvg_cairo_push_discrete_layer (rsvg-cairo-draw.c:777) ==21933== by 0x4E5454A: _rsvg_node_draw_children (rsvg-structure.c:83) ==21933== by 0x4E54502: rsvg_node_draw (rsvg-structure.c:69) ==21933== ==21933== Invalid write of size 8 ==21933== at 0x52DD36C: intersect (cairo-boxes-intersect.c:458) ==21933== by 0x52DDB4E: _cairo_boxes_intersect (cairo-boxes-intersect.c:685) ==21933== by 0x52E18E1: _cairo_clip_intersect_boxes (cairo-clip-boxes.c:290) ==21933== by 0x52E1A4D: _cairo_clip_intersect_rectilinear_path (cairo-clip-boxes.c:145) ==21933== by 0x52E04AB: _cairo_clip_intersect_path (cairo-clip.c:261) ==21933== by 0x52EBC0A: _cairo_gstate_clip (cairo-gstate.c:1568) ==21933== by 0x52E5278: _cairo_default_context_clip (cairo-default-context.c:1100) ==21933== by 0x52DEC14: cairo_clip (cairo.c:2496) ==21933== by 0x4E60DE5: rsvg_cairo_clip (rsvg-cairo-clip.c:170) ==21933== by 0x4E5F398: rsvg_cairo_push_discrete_layer (rsvg-cairo-draw.c:777) ==21933== by 0x4E5454A: _rsvg_node_draw_children (rsvg-structure.c:83) ==21933== by 0x4E54502: rsvg_node_draw (rsvg-structure.c:69) ==21933== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==21933== ==21933== ==21933== Process terminating with default action of signal 11 (SIGSEGV) ==21933== Access not within mapped region at address 0x0 ==21933== at 0x52DD36C: intersect (cairo-boxes-intersect.c:458) ==21933== by 0x52DDB4E: _cairo_boxes_intersect (cairo-boxes-intersect.c:685) ==21933== by 0x52E18E1: _cairo_clip_intersect_boxes (cairo-clip-boxes.c:290) ==21933== by 0x52E1A4D: _cairo_clip_intersect_rectilinear_path (cairo-clip-boxes.c:145) ==21933== by 0x52E04AB: _cairo_clip_intersect_path (cairo-clip.c:261) ==21933== by 0x52EBC0A: _cairo_gstate_clip (cairo-gstate.c:1568) ==21933== by 0x52E5278: _cairo_default_context_clip (cairo-default-context.c:1100) ==21933== by 0x52DEC14: cairo_clip (cairo.c:2496) ==21933== by 0x4E60DE5: rsvg_cairo_clip (rsvg-cairo-clip.c:170) ==21933== by 0x4E5F398: rsvg_cairo_push_discrete_layer (rsvg-cairo-draw.c:777) ==21933== by 0x4E5454A: _rsvg_node_draw_children (rsvg-structure.c:83) ==21933== by 0x4E54502: rsvg_node_draw (rsvg-structure.c:69) ==21933== If you believe this happened as a result of a stack ==21933== overflow in your program's main thread (unlikely but ==21933== possible), you can try to increase the size of the ==21933== main thread stack using the --main-stacksize= flag. ==21933== The main thread stack size used in this run was 8388608. ==21933== ==21933== HEAP SUMMARY: ==21933== in use at exit: 225,299 bytes in 2,383 blocks ==21933== total heap usage: 6,344 allocs, 3,961 frees, 461,397 bytes allocated ==21933== ==21933== LEAK SUMMARY: ==21933== definitely lost: 0 bytes in 0 blocks ==21933== indirectly lost: 0 bytes in 0 blocks ==21933== possibly lost: 10,324 bytes in 178 blocks ==21933== still reachable: 202,767 bytes in 2,121 blocks ==21933== suppressed: 0 bytes in 0 blocks ==21933== Rerun with --leak-check=full to see details of leaked memory ==21933== ==21933== For counts of detected and suppressed errors, rerun with: -v ==21933== Use --track-origins=yes to see where uninitialised values come from ==21933== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Version: git master