Closed Bug 600084 Opened 15 years ago Closed 14 years ago

possible snprintf() buffer overflow in _cairo_fixed_path_add()

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dveditz, Assigned: jrmuizel)

Details

(Whiteboard: [sg:nse] dead code in Gecko)

In _cairo_fixed_path_add() there are several calls to snprintf() in a loop that look like len += snprintf (buf + len, sizeof (buf), ...) I don't know if we call this function for anything (the string itself looks like it's spit out on stderr) or if a potential attacker can add enough points to the path to blow out the 1K buffer. But if so the snprintf() isn't going to help us when the code keeps using the size of the fully empty buffer. Should be "sizeof(buf)-len" instead. http://mxr.mozilla.org/mozilla-central/source/gfx/cairo/cairo/src/cairo-path-fixed.c#664
WATCH_PATH should never be set in our case.
Whiteboard: [sg:critical?] not exploitable in firefox
WATCH_PATH is #defined to 0 in our tree -- not a problem. Do we need to notify the upstream? Presumably this code is there for _someone_ to use.
Whiteboard: [sg:critical?] not exploitable in firefox → [sg:nse] dead code in Gecko
From upstream log: [path] Add path watch debugging Simple debug macro to print the path to stderr during construction. Its a debug only macro, closing out.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Group: core-security
You need to log in before you can comment on or make changes to this bug.