Blame cairo-fix_crash_in_fill_xrgb32_lerp_opaque_spans.patch
|
 |
f1f58f2 |
From 5c82d91a5e15d29b1489dcb413b24ee7fdf59934 Mon Sep 17 00:00:00 2001
|
|
|
f1f58f2 |
From: Bryce Harrington <bryce@osg.samsung.com>
|
|
|
f1f58f2 |
Date: Wed, 3 Dec 2014 19:28:15 -0800
|
|
|
f1f58f2 |
Subject: image: Fix crash in _fill_xrgb32_lerp_opaque_spans
|
|
|
f1f58f2 |
|
|
|
f1f58f2 |
If a span length is negative don't go out of bounds processing the fill
|
|
|
f1f58f2 |
data.
|
|
|
f1f58f2 |
|
|
|
f1f58f2 |
Patch thanks to Ilya Sakhnenko <ilia.softway@gmail.com> on mailing list.
|
|
|
f1f58f2 |
|
|
|
f1f58f2 |
Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
|
|
|
f1f58f2 |
|
|
|
f1f58f2 |
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
|
|
|
f1f58f2 |
index 6ff0f09..48072f8 100644
|
|
|
f1f58f2 |
--- a/src/cairo-image-compositor.c
|
|
|
f1f58f2 |
+++ b/src/cairo-image-compositor.c
|
|
|
f1f58f2 |
@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
|
|
|
f1f58f2 |
spans[0].x, y, len, 1, r->u.fill.pixel);
|
|
|
f1f58f2 |
} else {
|
|
|
f1f58f2 |
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4);
|
|
|
f1f58f2 |
- while (len--)
|
|
|
f1f58f2 |
+ while (len-- > 0)
|
|
|
f1f58f2 |
*d++ = r->u.fill.pixel;
|
|
|
f1f58f2 |
}
|
|
|
f1f58f2 |
- } else while (len--) {
|
|
|
f1f58f2 |
+ } else while (len-- > 0) {
|
|
|
f1f58f2 |
*d = lerp8x4 (r->u.fill.pixel, a, *d);
|
|
|
f1f58f2 |
d++;
|
|
|
f1f58f2 |
}
|
|
|
f1f58f2 |
--
|
|
|
f1f58f2 |
cgit v0.10.2
|
|
|
f1f58f2 |
|