pixman: Branch 'master' - 3 commits

Chris Wilson ickle at kemper.freedesktop.org
Thu Sep 27 10:22:00 PDT 2007 

 pixman/pixman-image.c   |   34 ++++++++++++++++++++++++++++++----
 pixman/pixman-private.h |    2 ++
 pixman/pixman-utils.c   |   14 ++++++++++++++
 3 files changed, 46 insertions(+), 4 deletions(-)

New commits:
diff-tree 7f820e15070c9b9618d78425b8cb1a4df722eb22 (from b4f0cc6eeaff8d5ea114734fcfa293fce1904ce4)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Thu Sep 27 12:46:46 2007 +0100

    [pixman-image] [mlk] Free the locally allocated bits.
    
    If we fail to allocate the image, remember to free the bits if we have
    created the buffer on behalf of the caller.

diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index de799b1..d40234d 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -359,8 +359,11 @@ pixman_image_create_bits (pixman_format_
     
     image = allocate_image();
 
-    if (!image)
+    if (!image) {
+	if (free_me)
+	    free (free_me);
 	return NULL;
+    }
     
     image->type = BITS;
     image->bits.format = format;
diff-tree b4f0cc6eeaff8d5ea114734fcfa293fce1904ce4 (from 958a650b8eb1b61143122c3ad1f9b637b6467984)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Thu Sep 27 12:44:44 2007 +0100

    [pixman-image] Avoid a potential malloc(0).
    
    Do not attempt to allocate bits if either the image width or height is
    0 - Cairo has a habit of attempting to create such surfaces when
    generating glyphs. The malloc(0) may return a NULL pointer and be treated
    as an out-of-memory error.

diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index 986f8ab..de799b1 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -350,7 +350,7 @@ pixman_image_create_bits (pixman_format_
     return_val_if_fail (bits == NULL ||
 			(rowstride_bytes % sizeof (uint32_t)) == 0, NULL); 
 
-    if (!bits)
+    if (!bits && width && height)
     {
 	free_me = bits = create_bits (format, width, height, &rowstride_bytes);
 	if (!bits)
diff-tree 958a650b8eb1b61143122c3ad1f9b637b6467984 (from 5b60c91fd6865021aa6027ee65fa8371a4e2d297)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Thu Sep 27 12:40:59 2007 +0100

    [pixman-image] Avoid integer overflow when allocating bits.
    
    Check for potential overflows at every step of the calculation of the
    buffer size required for the pixels.
    
    (Fixes https://bugs.freedesktop.org/show_bug.cgi?id=11627)

diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index fa32208..986f8ab 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -285,9 +285,32 @@ create_bits (pixman_format_code_t format
     int stride;
     int buf_size;
     int bpp;
-    
+
+    /* what follows is a long-winded way, avoiding any possibility of integer
+     * overflows, of saying:
+     * stride = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (uint32_t);
+     */
+
     bpp = PIXMAN_FORMAT_BPP (format);
-    stride = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (uint32_t);
+    if (pixman_multiply_overflows_int (width, bpp))
+	return NULL;
+
+    stride = width * bpp;
+    if (pixman_addition_overflows_int (stride, FB_MASK))
+	return NULL;
+
+    stride += FB_MASK;
+    stride >>= FB_SHIFT;
+
+#if FB_SHIFT < 2
+    if (pixman_multiply_overflows_int (stride, sizeof (uint32_t)))
+	return NULL;
+#endif
+    stride *= sizeof (uint32_t);
+
+    if (pixman_multiply_overflows_int (height, stride))
+	return NULL;
+
     buf_size = height * stride;
 
     if (rowstride_bytes)
diff --git a/pixman/pixman-private.h b/pixman/pixman-private.h
index 6487bfd..0c5942f 100644
--- a/pixman/pixman-private.h
+++ b/pixman/pixman-private.h
@@ -69,6 +69,8 @@
 /* Memory allocation helpers */
 void *pixman_malloc_ab (unsigned int n, unsigned int b);
 void *pixman_malloc_abc (unsigned int a, unsigned int b, unsigned int c);
+pixman_bool_t pixman_multiply_overflows_int (unsigned int a, unsigned int b);
+pixman_bool_t pixman_addition_overflows_int (unsigned int a, unsigned int b);
 
 #if DEBUG
 
diff --git a/pixman/pixman-utils.c b/pixman/pixman-utils.c
index fc93608..1d1dec9 100644
--- a/pixman/pixman-utils.c
+++ b/pixman/pixman-utils.c
@@ -371,6 +371,20 @@ pixman_line_fixed_edge_init (pixman_edge
 		    bot->y + y_off_fixed);
 }
 
+pixman_bool_t
+pixman_multiply_overflows_int (unsigned int a,
+		               unsigned int b)
+{
+    return a >= INT32_MAX / b;
+}
+
+pixman_bool_t
+pixman_addition_overflows_int (unsigned int a,
+		               unsigned int b)
+{
+    return a > INT32_MAX - b;
+}
+
 void *
 pixman_malloc_ab(unsigned int a,
 		 unsigned int b)

More information about the xorg-commit mailing list