Red Hat Bugzilla – Bug 1312337
CVE-2016-9082 cairo: Out of bounds read in read_png/write_png in cairo-png.c
Last modified: 2017-04-06 05:13:40 EDT
It was found that specially crafted SVG file can trigger crash in png_write_row when converting the given SVG using librsvg2 and cairo. Crash happens inside libpng when trying to access invalid pointer.
Name: Gustavo Grieco
Created attachment 1130832 [details]
*** Bug 1382656 has been marked as a duplicate of this bug. ***
Created cairo tracking bugs for this issue:
Affects: fedora-all [bug 1384554]
Created mingw-cairo tracking bugs for this issue:
Affects: fedora-all [bug 1384555]
Affects: epel-7 [bug 1384556]
The upstream bug mentions a separate issue that may cause out-of-bounds writes. While this looks correct initially, I don't think that this is feasible:
The memory is allocated using _cairo_malloc_ab(), which has a built-in overflow check. As far as I can tell, this will catch the problem before we can reach the problematic code.
This leaves only the out-of-bounds read, which, all things considered, isn't really that dangerous.
*** Bug 1382658 has been marked as a duplicate of this bug. ***
*** Bug 1382659 has been marked as a duplicate of this bug. ***
*** Bug 1382662 has been marked as a duplicate of this bug. ***