[Pixman] [PATCH 1/2] test: check the validity of trapezoid
Søren Sandmann
sandmann at cs.au.dk
Fri Nov 15 14:44:20 PST 2013
Hi,
Thanks for the updated patches. They both look good. Unfortunately, in
order to get the 0.32.0 release out with the trapezoid issue fixed, I
already pushed some similar patches a couple of weeks ago:
http://cgit.freedesktop.org/pixman/commit/?id=2f876cf86718d3dd9b3b04ae9552530edafe58a1
http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c
Søren
Ritesh Khadgaray <ritesh.khadgaray at canonical.com> writes:
> From: Ritesh Khadgaray <ritesh.khadgaray at canonical.com>
>
> This test will create a trapezoid with an invalid bottom , where
> subtracting bottom from top will result in a value less than MIN_INT,
> leading to underflow error.
>
> (int)((t)->bottom - (t)->top) > 0
>
> This leads to invalid memory read/write and a crash.
> ---
> test/trap-crasher.c | 19 ++++++++++++++++++-
> 1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/test/trap-crasher.c b/test/trap-crasher.c
> index 4e4cac2..c1162fd 100644
> --- a/test/trap-crasher.c
> +++ b/test/trap-crasher.c
> @@ -5,7 +5,7 @@ int
> main()
> {
> pixman_image_t *dst;
> - pixman_trapezoid_t traps[1] = {
> + pixman_trapezoid_t traps[2] = {
> {
> 2147483646,
> 2147483647,
> @@ -18,6 +18,23 @@ main()
> { 0, 2147483647 }
> }
> },
> +
> + /* fdo bug #67484 - Corrupted CustomShape crashes Xorg
> + subtracting t->top from t->bottom wraps around MIN_INT
> + and an invalid trap, followed by crash
> + */
> + {
> + 32768,
> + -2147483647,
> + {
> + { 0, 0 },
> + { 0, 2147483647 }
> + },
> + {
> + { 65536, 0 },
> + { 0, 2147483647 }
> + }
> + },
> };
>
> dst = pixman_image_create_bits (PIXMAN_a8, 1, 1, NULL, -1);
More information about the Pixman
mailing list