<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [PATCH] Recording surface ink extents: difference between two fixed point numbers may overflow before conversion to double"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=84952">84952</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[PATCH] Recording surface ink extents: difference between two fixed point numbers may overflow before conversion to double
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>cairo
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>1.12.16
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>cmantunes@gmail.com
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>cairo-bugs@cairographics.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=107759" name="attach_107759" title="Patch fixes fixed-point overflow bug on recording-surface">attachment 107759</a> <a href="attachment.cgi?id=107759&action=edit" title="Patch fixes fixed-point overflow bug on recording-surface">[details]</a></span>
Patch fixes fixed-point overflow bug on recording-surface

Recording surface may return incorrect result for ink extents when, for
example, it is created unbounded. This is due to a bug in the conversion of a
difference from fixed to floating point. The code for
cairo_recording_surface_ink_extents reads at some point:

*width = _cairo_fixed_to_double (bbox.p2.x - bbox.p1.x);
*height = _cairo_fixed_to_double (bbox.p2.y - bbox.p1.y);

The "solution" (short of getting rid of fixed point altogether) is to change
this to:

*width = _cairo_fixed_to_double (bbox.p2.x) - _cairo_fixed_to_double
(bbox.p1.x);
*height = _cairo_fixed_to_double (bbox.p2.y) - _cairo_fixed_to_double
(bbox.p1.y);

This was tested on MSYS2/MinGW64 and indeed it works as expected.

Attached, you'll find the simple patch. It works against 1.12.16 but the bug is
still present on HEAD.

Thanks!</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>