[Pixman] [PATCH 1/5] Fix some signed overflow bugs

Søren Sandmann sandmann at cs.au.dk
Thu Dec 22 13:35:42 PST 2011 

From: Søren Sandmann Pedersen <ssp at redhat.com>

In the macros for the PDF blend modes, two comp1_t variables are
multiplied together and then used as if the result were a
comp4_t. When comp1_t is a uint8_t, this is fine because they are
promoted to int, and the product of two uint8_ts fits in an
int. However, when comp1_t is uint16, the product does not necessarily
fit in an int, so casts are necessary.

Fix for bug 43906, reported by Siarhei Siamashka.
---
 pixman/pixman-combine.c.template |    6 +++---
 test/blitters-test.c             |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pixman/pixman-combine.c.template b/pixman/pixman-combine.c.template
index c17bcea..cd008d9 100644
--- a/pixman/pixman-combine.c.template
+++ b/pixman/pixman-combine.c.template
@@ -522,7 +522,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
 	    UNcx4_MUL_UNc_ADD_UNcx4_MUL_UNc (result, isa, s, ida);	\
 	    								\
 	    *(dest + i) = result +					\
-		(DIV_ONE_UNc (sa * da) << A_SHIFT) +			\
+		(DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +		\
 		(blend_ ## name (RED_c (d), da, RED_c (s), sa) << R_SHIFT) + \
 		(blend_ ## name (GREEN_c (d), da, GREEN_c (s), sa) << G_SHIFT) + \
 		(blend_ ## name (BLUE_c (d), da, BLUE_c (s), sa));	\
@@ -552,7 +552,7 @@ combine_multiply_ca (pixman_implementation_t *imp,
 	    UNcx4_MUL_UNcx4_ADD_UNcx4_MUL_UNc (result, ~m, s, ida);     \
             								\
 	    result +=							\
-	        (DIV_ONE_UNc (ALPHA_c (m) * da) << A_SHIFT) +		\
+	        (DIV_ONE_UNc (ALPHA_c (m) * (comp4_t)da) << A_SHIFT) +	\
 	        (blend_ ## name (RED_c (d), da, RED_c (s), RED_c (m)) << R_SHIFT) + \
 	        (blend_ ## name (GREEN_c (d), da, GREEN_c (s), GREEN_c (m)) << G_SHIFT) + \
 	        (blend_ ## name (BLUE_c (d), da, BLUE_c (s), BLUE_c (m))); \
@@ -926,7 +926,7 @@ PDF_SEPARABLE_BLEND_MODE (exclusion)
 	    blend_ ## name (c, dc, da, sc, sa);				\
             								\
 	    *(dest + i) = result +					\
-		(DIV_ONE_UNc (sa * da) << A_SHIFT) +			\
+		(DIV_ONE_UNc (sa * (comp4_t)da) << A_SHIFT) +		\
 		(DIV_ONE_UNc (c[0]) << R_SHIFT) +			\
 		(DIV_ONE_UNc (c[1]) << G_SHIFT) +			\
 		(DIV_ONE_UNc (c[2]));					\
diff --git a/test/blitters-test.c b/test/blitters-test.c
index 55b6c73..63162e6 100644
--- a/test/blitters-test.c
+++ b/test/blitters-test.c
@@ -424,6 +424,6 @@ main (int argc, const char *argv[])
     }
 
     return fuzzer_test_main("blitters", 2000000,
-			    0x29137844,
+			    0x3EDA4108,
 			    test_composite, argc, argv);
 }
-- 
1.6.0.6

More information about the Pixman mailing list