[Pixman] [PATCH 1/2] test: check the validity of trapezoid
Ritesh Khadgaray
ritesh.khadgaray at canonical.com
Thu Nov 14 07:41:04 PST 2013
From: Ritesh Khadgaray <ritesh.khadgaray at canonical.com>
This test will create a trapezoid with an invalid bottom , where subtracting bottom from top
will result in a value less than MIN_INT, leading to underflow error.
(int)((t)->bottom - (t)->top) > 0
This leads to invalid memory read/write and a crash.
---
test/trap-crasher.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/test/trap-crasher.c b/test/trap-crasher.c
index 4e4cac2..c1162fd 100644
--- a/test/trap-crasher.c
+++ b/test/trap-crasher.c
@@ -5,7 +5,7 @@ int
main()
{
pixman_image_t *dst;
- pixman_trapezoid_t traps[1] = {
+ pixman_trapezoid_t traps[2] = {
{
2147483646,
2147483647,
@@ -18,6 +18,23 @@ main()
{ 0, 2147483647 }
}
},
+
+ /* fdo bug #67484 - Corrupted CustomShape crashes Xorg
+ subtracting t->top from t->bottom wraps around MIN_INT
+ and an invalid trap, followed by crash
+ */
+ {
+ 32768,
+ -2147483647,
+ {
+ { 0, 0 },
+ { 0, 2147483647 }
+ },
+ {
+ { 65536, 0 },
+ { 0, 2147483647 }
+ }
+ },
};
dst = pixman_image_create_bits (PIXMAN_a8, 1, 1, NULL, -1);
--
1.8.3.2
More information about the Pixman
mailing list