script-surface: Check for invalid ids (CID #1159557, 1159558)

If the bitmap's min is non-zero, _bitmap_next_id() could break out of its loop early, before initializing the prev variable. prev would then be dereferenced without a null ptr check. This condition should never occur in practice, so add an assert() to assure it doesn't. Same issue is present in trace.c. Coverity IDs: #1159557, #1159558 Reviewed-By: Uli Schlachter <psychon@znc.in> Signed-off-by: Bryce Harrington <bryce@bryceharrington.org>
author: Bryce Harrington <bryce@bryceharrington.org> 2018-06-06 09:30:00 -0700
committer: Bryce Harrington <bryce@bryceharrington.org> 2018-06-13 15:21:50 -0700
commit: 9d2e3646fa04c98747ae3b05a9be433eda7f2730 (patch)
tree: 8e04745c1ca9a82a967e7eeb41efdfd7981537f8
parent: d09d2ebfd5845de7b3fa12b76c4abead4d587016 (diff)
2 files changed, 3 insertions, 0 deletions
diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
index e715cae50..7db7dc5b0 100644
--- a/src/cairo-script-surface.c
+++ b/src/cairo-script-surface.c
@@ -262,6 +262,7 @@ _bitmap_next_id (struct _bitmap *b,
 	prev = &b->next;
 	b = b->next;
     } while (b != NULL);
+    assert (prev != NULL);
 
     bb = _cairo_malloc (sizeof (struct _bitmap));
     if (unlikely (bb == NULL))
diff --git a/util/cairo-trace/trace.c b/util/cairo-trace/trace.c
index 3c056134e..87b2df46e 100644
--- a/util/cairo-trace/trace.c
+++ b/util/cairo-trace/trace.c
@@ -299,8 +299,10 @@ _type_next_token (Type *t)
 	prev = &b->next;
 	b = b->next;
     }
+    assert (prev != NULL);
 
     bb = malloc (sizeof (struct _bitmap));
+
     *prev = bb;
     bb->next = b;
     bb->min = min;
author	Bryce Harrington <bryce@bryceharrington.org>	2018-06-06 09:30:00 -0700
committer	Bryce Harrington <bryce@bryceharrington.org>	2018-06-13 15:21:50 -0700
commit	9d2e3646fa04c98747ae3b05a9be433eda7f2730 (patch)
tree	8e04745c1ca9a82a967e7eeb41efdfd7981537f8
parent	d09d2ebfd5845de7b3fa12b76c4abead4d587016 (diff)