It was found that specially crafted SVG file can trigger crash in png_write_row when converting the given SVG using librsvg2 and cairo. Crash happens inside libpng when trying to access invalid pointer. Acknowledgements: Name: Gustavo Grieco
Created attachment 1130832 [details] Backtrace report
*** Bug 1382656 has been marked as a duplicate of this bug. ***
CVE request: http://seclists.org/oss-sec/2016/q4/44 Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=98165
Created cairo tracking bugs for this issue: Affects: fedora-all [bug 1384554]
Created mingw-cairo tracking bugs for this issue: Affects: fedora-all [bug 1384555] Affects: epel-7 [bug 1384556]
The upstream bug mentions a separate issue that may cause out-of-bounds writes. While this looks correct initially, I don't think that this is feasible: The memory is allocated using _cairo_malloc_ab(), which has a built-in overflow check. As far as I can tell, this will catch the problem before we can reach the problematic code. This leaves only the out-of-bounds read, which, all things considered, isn't really that dangerous.
*** Bug 1382658 has been marked as a duplicate of this bug. ***
*** Bug 1382659 has been marked as a duplicate of this bug. ***
*** Bug 1382662 has been marked as a duplicate of this bug. ***
Proposed patch: https://bugs.freedesktop.org/attachment.cgi?id=127421