pixman: Branch 'master' - 3 commits
Chris Wilson
ickle at kemper.freedesktop.org
Thu Sep 27 10:22:00 PDT 2007
pixman/pixman-image.c | 34 ++++++++++++++++++++++++++++++----
pixman/pixman-private.h | 2 ++
pixman/pixman-utils.c | 14 ++++++++++++++
3 files changed, 46 insertions(+), 4 deletions(-)
New commits:
diff-tree 7f820e15070c9b9618d78425b8cb1a4df722eb22 (from b4f0cc6eeaff8d5ea114734fcfa293fce1904ce4)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Thu Sep 27 12:46:46 2007 +0100
[pixman-image] [mlk] Free the locally allocated bits.
If we fail to allocate the image, remember to free the bits if we have
created the buffer on behalf of the caller.
diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index de799b1..d40234d 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -359,8 +359,11 @@ pixman_image_create_bits (pixman_format_
image = allocate_image();
- if (!image)
+ if (!image) {
+ if (free_me)
+ free (free_me);
return NULL;
+ }
image->type = BITS;
image->bits.format = format;
diff-tree b4f0cc6eeaff8d5ea114734fcfa293fce1904ce4 (from 958a650b8eb1b61143122c3ad1f9b637b6467984)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Thu Sep 27 12:44:44 2007 +0100
[pixman-image] Avoid a potential malloc(0).
Do not attempt to allocate bits if either the image width or height is
0 - Cairo has a habit of attempting to create such surfaces when
generating glyphs. The malloc(0) may return a NULL pointer and be treated
as an out-of-memory error.
diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index 986f8ab..de799b1 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -350,7 +350,7 @@ pixman_image_create_bits (pixman_format_
return_val_if_fail (bits == NULL ||
(rowstride_bytes % sizeof (uint32_t)) == 0, NULL);
- if (!bits)
+ if (!bits && width && height)
{
free_me = bits = create_bits (format, width, height, &rowstride_bytes);
if (!bits)
diff-tree 958a650b8eb1b61143122c3ad1f9b637b6467984 (from 5b60c91fd6865021aa6027ee65fa8371a4e2d297)
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Thu Sep 27 12:40:59 2007 +0100
[pixman-image] Avoid integer overflow when allocating bits.
Check for potential overflows at every step of the calculation of the
buffer size required for the pixels.
(Fixes https://bugs.freedesktop.org/show_bug.cgi?id=11627)
diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index fa32208..986f8ab 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -285,9 +285,32 @@ create_bits (pixman_format_code_t format
int stride;
int buf_size;
int bpp;
-
+
+ /* what follows is a long-winded way, avoiding any possibility of integer
+ * overflows, of saying:
+ * stride = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (uint32_t);
+ */
+
bpp = PIXMAN_FORMAT_BPP (format);
- stride = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (uint32_t);
+ if (pixman_multiply_overflows_int (width, bpp))
+ return NULL;
+
+ stride = width * bpp;
+ if (pixman_addition_overflows_int (stride, FB_MASK))
+ return NULL;
+
+ stride += FB_MASK;
+ stride >>= FB_SHIFT;
+
+#if FB_SHIFT < 2
+ if (pixman_multiply_overflows_int (stride, sizeof (uint32_t)))
+ return NULL;
+#endif
+ stride *= sizeof (uint32_t);
+
+ if (pixman_multiply_overflows_int (height, stride))
+ return NULL;
+
buf_size = height * stride;
if (rowstride_bytes)
diff --git a/pixman/pixman-private.h b/pixman/pixman-private.h
index 6487bfd..0c5942f 100644
--- a/pixman/pixman-private.h
+++ b/pixman/pixman-private.h
@@ -69,6 +69,8 @@
/* Memory allocation helpers */
void *pixman_malloc_ab (unsigned int n, unsigned int b);
void *pixman_malloc_abc (unsigned int a, unsigned int b, unsigned int c);
+pixman_bool_t pixman_multiply_overflows_int (unsigned int a, unsigned int b);
+pixman_bool_t pixman_addition_overflows_int (unsigned int a, unsigned int b);
#if DEBUG
diff --git a/pixman/pixman-utils.c b/pixman/pixman-utils.c
index fc93608..1d1dec9 100644
--- a/pixman/pixman-utils.c
+++ b/pixman/pixman-utils.c
@@ -371,6 +371,20 @@ pixman_line_fixed_edge_init (pixman_edge
bot->y + y_off_fixed);
}
+pixman_bool_t
+pixman_multiply_overflows_int (unsigned int a,
+ unsigned int b)
+{
+ return a >= INT32_MAX / b;
+}
+
+pixman_bool_t
+pixman_addition_overflows_int (unsigned int a,
+ unsigned int b)
+{
+ return a > INT32_MAX - b;
+}
+
void *
pixman_malloc_ab(unsigned int a,
unsigned int b)
More information about the xorg-commit
mailing list