[Pixman] [PATCH] Fix arithmetic overflow in pointer arithmetic in ‘general_composite_rect’

Ludovic Courtès ludo at gnu.org
Mon Sep 21 12:34:51 PDT 2015

Siarhei Siamashka <siarhei.siamashka at gmail.com> skribis:

> Sorry, I forgot to mention
>     http://cgit.freedesktop.org/pixman/tree/README?id=pixman-0.33.2#n46
> We would also need a commit message for the patch. So it normally
> should be created with "git format-patch" command and sent to the
> mailing list using "git send-email".

Right, sorry.  In fact I intended this message to be a RFC more than
anything else.

> Basically, I would probably do it in the following way:

Looks better to me, indeed.

> This bug is your find and you should get credit for it :-)
> Please let me know if you:
> 1. are going to send an updated patch yourself.
> 2. want me to do this on your behalf (listing you as the patch author).
> 3. want me to submit a patch myself (listing you as the bug reporter).

I’m happy with #3 or #2 (the former would probably be more fair.)

> Also this is an important bugfix for a non-obvious problem, which can
> be really a PITA to debug. I would nominate it for a pixman-0.32.8
> bugfix release.

Yes, it’s probably a good idea.

It would be interesting to see whether/how the bug could be exploited in
other ways.  For instance with, say, width = -20 % 2^32, one could
arrange to overwrite the return address on the stack.


More information about the Pixman mailing list