[v2,1/8] script-surface: Check for invalid ids (CID #1159557, 1159558)

Submitted by Bryce Harrington on June 13, 2018, 12:35 a.m.

Details

Message ID 1528850138-30405-2-git-send-email-bryce@bryceharrington.org
State New
Headers show
Series "Coverity fixes" ( rev: 2 ) in Cairo

Not browsing as part of any series.

Commit Message

Bryce Harrington June 13, 2018, 12:35 a.m.
If the bitmap's min is non-zero, _bitmap_next_id() could break out of
its loop early, before initializing the prev variable.  prev would then
be dereferenced without a null ptr check.  This condition should never
occur in practice, so add an assert() to assure it doesn't.

Same issue is present in trace.c.

Coverity IDs: #1159557, #1159558

Signed-off-by: Bryce Harrington <bryce@bryceharrington.org>
---
 src/cairo-script-surface.c | 1 +
 util/cairo-trace/trace.c   | 2 ++
 2 files changed, 3 insertions(+)

Patch hide | download patch | download mbox

diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index e715cae..7db7dc5 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -262,6 +262,7 @@  _bitmap_next_id (struct _bitmap *b,
 	prev = &b->next;
 	b = b->next;
     } while (b != NULL);
+    assert (prev != NULL);
 
     bb = _cairo_malloc (sizeof (struct _bitmap));
     if (unlikely (bb == NULL))
diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c
index 3c05613..87b2df4 100644
--- a/util/cairo-trace/trace.c
+++ b/util/cairo-trace/trace.c
@@ -299,8 +299,10 @@  _type_next_token (Type *t)
 	prev = &b->next;
 	b = b->next;
     }
+    assert (prev != NULL);
 
     bb = malloc (sizeof (struct _bitmap));
+
     *prev = bb;
     bb->next = b;
     bb->min = min;