Testcase found while fuzzing mozilla-central rev d1982cee06ca (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build d1982cee06ca --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ active_edges]

    =================================================================
    ==154411==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7fc37784e9c3 bp 0x7ffe2945f9b0 sp 0x7ffe2945c8e0 T0)
    ==154411==The signal is caused by a READ memory access.
    ==154411==Hint: address points to the zero page.
        #0 0x7fc37784e9c3 in active_edges /gfx/cairo/cairo/src/cairo-polygon-intersect.c:1171:6
        #1 0x7fc37784e9c3 in intersection_sweep /gfx/cairo/cairo/src/cairo-polygon-intersect.c:1207:6
        #2 0x7fc37784e9c3 in _cairo_polygon_intersect /gfx/cairo/cairo/src/cairo-polygon-intersect.c:1406:14
        #3 0x7fc3778b6d11 in _cairo_clip_get_polygon /gfx/cairo/cairo/src/cairo-clip-polygon.c:125:12
        #4 0x7fc3779848b8 in clip_and_composite_polygon /gfx/cairo/cairo/src/cairo-spans-compositor.c:938:11
        #5 0x7fc377969664 in _cairo_spans_compositor_fill /gfx/cairo/cairo/src/cairo-spans-compositor.c:1174:15
        #6 0x7fc3778beef7 in _cairo_compositor_fill /gfx/cairo/cairo/src/cairo-compositor.c:203:11
        #7 0x7fc3778f2f9c in _cairo_image_surface_fill /gfx/cairo/cairo/src/cairo-image-surface.c:1003:12
        #8 0x7fc37797167f in _cairo_surface_fill /gfx/cairo/cairo/src/cairo-surface.c:2473:14
        #9 0x7fc37785d175 in _cairo_surface_wrapper_fill /gfx/cairo/cairo/src/cairo-surface-wrapper.c:384:14
        #10 0x7fc377944030 in _cairo_recording_surface_replay_internal /gfx/cairo/cairo/src/cairo-recording-surface.c:1948:12
        #11 0x7fc37794509a in _cairo_recording_surface_replay_with_clip /gfx/cairo/cairo/src/cairo-recording-surface.c:2141:12
        #12 0x7fc3778000df in _pixman_image_for_recording /gfx/cairo/cairo/src/cairo-image-source.c:1226:14
        #13 0x7fc3778000df in _pixman_image_for_surface /gfx/cairo/cairo/src/cairo-image-source.c:1278:9
        #14 0x7fc3778000df in _pixman_image_for_pattern /gfx/cairo/cairo/src/cairo-image-source.c:1584:9
        #15 0x7fc3778016ad in _cairo_image_source_create_for_pattern /gfx/cairo/cairo/src/cairo-image-source.c:1629:2
        #16 0x7fc37798315c in composite_aligned_boxes /gfx/cairo/cairo/src/cairo-spans-compositor.c:678:8
        #17 0x7fc37798315c in clip_and_composite_boxes /gfx/cairo/cairo/src/cairo-spans-compositor.c:882:11
        #18 0x7fc377968db9 in _cairo_spans_compositor_paint /gfx/cairo/cairo/src/cairo-spans-compositor.c:983:14
        #19 0x7fc3778be6d7 in _cairo_compositor_paint /gfx/cairo/cairo/src/cairo-compositor.c:65:11
        #20 0x7fc377970309 in _cairo_surface_paint /gfx/cairo/cairo/src/cairo-surface.c:2248:14
        #21 0x7fc37785bcda in _cairo_surface_wrapper_paint /gfx/cairo/cairo/src/cairo-surface-wrapper.c:159:14
        #22 0x7fc3779439d3 in _cairo_recording_surface_replay_internal /gfx/cairo/cairo/src/cairo-recording-surface.c:1852:15
        #23 0x7fc37794509a in _cairo_recording_surface_replay_with_clip /gfx/cairo/cairo/src/cairo-recording-surface.c:2141:12
        #24 0x7fc377982adf in composite_aligned_boxes /gfx/cairo/cairo/src/cairo-spans-compositor.c:614:11
        #25 0x7fc377982adf in clip_and_composite_boxes /gfx/cairo/cairo/src/cairo-spans-compositor.c:882:11
        #26 0x7fc377968db9 in _cairo_spans_compositor_paint /gfx/cairo/cairo/src/cairo-spans-compositor.c:983:14
        #27 0x7fc3778be6d7 in _cairo_compositor_paint /gfx/cairo/cairo/src/cairo-compositor.c:65:11
        #28 0x7fc377970309 in _cairo_surface_paint /gfx/cairo/cairo/src/cairo-surface.c:2248:14
        #29 0x7fc3778d65f1 in _cairo_gstate_paint /gfx/cairo/cairo/src/cairo-gstate.c:1061:12
        #30 0x7fc37799b973 in _moz_cairo_paint /gfx/cairo/cairo/src/cairo.c:2219:14
        #31 0x7fc36e36183d in mozilla::gfx::SourceSurfaceCairo::GetDataSurface() /gfx/2d/SourceSurfaceCairo.cpp:60:5
        #32 0x7fc36e2a2b31 in mozilla::gfx::GetCairoSurfaceForSourceSurface(mozilla::gfx::SourceSurface*, bool, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gfx/2d/DrawTargetCairo.cpp:357:46
        #33 0x7fc36e2a1a9d in mozilla::gfx::DrawTargetCairo::DrawSurface(mozilla::gfx::SourceSurface*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawSurfaceOptions const&, mozilla::gfx::DrawOptions const&) /gfx/2d/DrawTargetCairo.cpp:876:27
        #34 0x7fc36e21f7ff in mozilla::gfx::RecordedDrawSurface::PlayEvent(mozilla::gfx::Translator*) const /gfx/2d/RecordedEventImpl.h:2827:7
        #35 0x7fc36e248c6f in std::function<bool (mozilla::gfx::RecordedEvent*)>::operator()(mozilla::gfx::RecordedEvent*) const /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
        #36 0x7fc36e35967a in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::EventStream>(mozilla::gfx::EventStream&, mozilla::gfx::RecordedEvent::EventType, std::function<bool (mozilla::gfx::RecordedEvent*)> const&) /gfx/2d/RecordedEventImpl.h:4053:5
        #37 0x7fc375be6c43 in mozilla::layout::PrintTranslator::TranslateRecording(mozilla::layout::PRFileDescStream&) /layout/printing/PrintTranslator.cpp:50:20
        #38 0x7fc375bea879 in mozilla::layout::RemotePrintJobParent::PrintPage(mozilla::layout::PRFileDescStream&, nsRefCountedHashtable<nsIntegralHashKey<unsigned long, 0>, RefPtr<mozilla::gfx::RecordedDependentSurface> >*) /layout/printing/ipc/RemotePrintJobParent.cpp:162:26
        #39 0x7fc375bea604 in FinishProcessingPage /layout/printing/ipc/RemotePrintJobParent.cpp:143:17
        #40 0x7fc375bea604 in mozilla::layout::RemotePrintJobParent::RecvProcessPage(nsTArray<unsigned long>&&) /layout/printing/ipc/RemotePrintJobParent.cpp:118:5
        #41 0x7fc3751a4844 in mozilla::layout::PRemotePrintJobParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemotePrintJobParent.cpp:342:52
        #42 0x7fc3741dc764 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6627:32
        #43 0x7fc36d99ce69 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #44 0x7fc36d999ed7 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #45 0x7fc36d99ab24 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #46 0x7fc36d99bdb2 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #47 0x7fc36c1c4362 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #48 0x7fc36c1bb2c7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #49 0x7fc36c1b8558 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #50 0x7fc36c1b8c80 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #51 0x7fc36c1ca911 in operator() /xpcom/threads/TaskController.cpp:187:37
        #52 0x7fc36c1ca911 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #53 0x7fc36c1edb68 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
        #54 0x7fc36c1f8614 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #55 0x7fc36d9a462f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #56 0x7fc36d8216a1 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #57 0x7fc36d8216a1 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #58 0x7fc36d8216a1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #59 0x7fc374d08d97 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #60 0x7fc379c953f7 in nsAppStartup::Run() /toolkit/components/startup/nsAppStartup.cpp:295:30
        #61 0x7fc379ec3965 in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5723:22
        #62 0x7fc379ec56be in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5916:8
        #63 0x7fc379ec643b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5972:21
        #64 0x55827af31946 in do_main(int, char**, char**) /browser/app/nsBrowserApp.cpp:226:22
        #65 0x55827af30be7 in main /browser/app/nsBrowserApp.cpp:428:16
        #66 0x7fc39472ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #67 0x7fc39472ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #68 0x55827ae70a19 in _start (/home/jkratzer/builds/m-c-20221024093150-fuzzing-asan-opt/firefox+0x7aa19) (BuildId: d7fcfc2c0df7d17af1172c91b072020f207fd353)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /gfx/cairo/cairo/src/cairo-polygon-intersect.c:1171:6 in active_edges
    ==154411==ABORTING

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221027215515-2dddf127c6ab.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 2f3b5d0ef91160a8b34e6e22ebc4b1475f35d9fc (20211029094127)
End: d1982cee06ca5c4df2bd03dc4f47ee489f8b5a17 (20221024093150)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Jonathan, are you well placed to look at cairo issues, or is there somebody better suited?

We're crashing here because the right pointer is null.

I don't understand much about this cairo polygon code, but this comment doesn't exactly inspire confidence. It may be that something further back has left the geometry structures in an unexpected state, perhaps because of overflowing dimension or floating-point precision limits or something (given the extreme values in the testcase). But anyhow, it looks to me like this code can be made more robust with a couple of extra null-checks, so that it just bails out rather than crashing.

With this, which should not change behavior unless we were about to crash,
the testcase completes successfully (although slowly, as it's generating
an 8000-plus page PDF document).

FTR, I have opened https://gitlab.freedesktop.org/cairo/cairo/-/merge_requests/365 upstream for this. (It's possible cairo maintainers will have a better fix to offer, in which case we can follow their lead.)

https://hg.mozilla.org/mozilla-central/rev/f8dff2edfe1b

Verified bug as fixed on rev mozilla-central 20221101213659-f8dff2edfe1b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.