[cairo] crash in _fill_xrgb32_lerp_opaque_spans
Ilya Sakhnenko
ilia.softway at gmail.com
Wed Nov 26 14:04:07 PST 2014
Hello,
First of all, million thanks for this beautiful library!
I have encountered a crash in _fill_xrgb32_lerp_opaque_spans (cairo 1.14.0,
pixman 0.32.6):
I had to replace if (len--) to if (len-- > 0) to let our program run.
static cairo_status_t
_fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
const cairo_half_open_span_t *spans, unsigned num_spans)
{
cairo_image_span_renderer_t *r = abstract_renderer;
if (num_spans == 0)
return CAIRO_STATUS_SUCCESS;
if (likely(h == 1)) {
do {
uint8_t a = spans[0].coverage;
if (a) {
int len = spans[1].x - spans[0].x; // = -1 causing a crash
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y +
spans[0].x*4);
if (a == 0xff) {
if (len > 31) {
pixman_fill ((uint32_t *)r->u.fill.data, r->u.fill.stride /
sizeof(uint32_t), 32,
spans[0].x, y, len, 1, r->u.fill.pixel);
} else {
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y +
spans[0].x*4);
while (len-- > 0)
*d++ = r->u.fill.pixel;
}
} else while (len-- > 0) { // crash len being negative (was -1 at
the line 2238: int len = spans[1].x - spans[0].x)
*d = lerp8x4 (r->u.fill.pixel, a, *d);
d++;
}
}
spans++;
....
With best regards,
Ilya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo/attachments/20141127/23a1c6b2/attachment.html>
More information about the cairo
mailing list