<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Image compositor can pass invalid coordinates to pixman_fill()"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90120#c2">Comment # 2</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Image compositor can pass invalid coordinates to pixman_fill()"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=90120">bug 90120</a>
              from <span class="vcard"><a class="email" href="mailto:federico@gnome.org" title="Federico Mena-Quintero <federico@gnome.org>"> <span class="fn">Federico Mena-Quintero</span></a>
</span></b>
        <pre>For reference, this is the top of the backtrace when the invalid write happens:

#0  0x000000000b530d04 in sse2_fill (imp=0xf5e2390, bits=0x12461330, stride=80,
bpp=32, x=1, y=1, width=18, height=-14, filler=4294901760) at
pixman-sse2.c:3394
#1  0x000000000b497319 in _pixman_implementation_fill (imp=0xf5e2390,
bits=0x12461330, stride=20, bpp=32, x=1, y=1, width=18, height=-2,
filler=4294901760) at pixman-implementation.c:277
#2  0x000000000b2abced in pixman_fill (bits=0x12461330, stride=20, bpp=32, x=1,
y=1, width=18, height=-2, filler=4294901760) at pixman.c:766
#3  0x0000000006c3895d in fill_boxes (_dst=0x12461730,
op=CAIRO_OPERATOR_SOURCE, color=0x7feffeee8, boxes=0x7feffe990) at
cairo-image-compositor.c:349
#4  0x0000000006c84450 in composite_aligned_boxes (compositor=0x6f72dc0
<spans.11385>, extents=0x7feffedf0, boxes=0x7feffe990) at
cairo-spans-compositor.c:619
#5  0x0000000006c84dbd in clip_and_composite_boxes (compositor=0x6f72dc0
<spans.11385>, extents=0x7feffedf0, boxes=0x7feffe990) at
cairo-spans-compositor.c:873
#6  0x0000000006c852d1 in _cairo_spans_compositor_stroke (_compositor=0x6f72dc0
<spans.11385>, extents=0x7feffedf0, path=0x1245f538, style=0x7fefff210,
ctm=0x12464a40, ctm_inverse=0x12464a70, tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT) at cairo-spans-compositor.c:1029
#7  0x0000000006c29d02 in _cairo_compositor_stroke (compositor=0x6f72dc0
<spans.11385>, surface=0x12461730, op=CAIRO_OPERATOR_OVER, source=0x7fefff240,
path=0x1245f538, style=0x7fefff210, ctm=0x12464a40, ctm_inverse=0x12464a70, 
    tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0)
at cairo-compositor.c:157
#8  0x0000000006c4162f in _cairo_image_surface_stroke
(abstract_surface=0x12461730, op=CAIRO_OPERATOR_OVER, source=0x7fefff240,
path=0x1245f538, style=0x7fefff210, ctm=0x12464a40, ctm_inverse=0x12464a70,
tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at cairo-image-surface.c:961
#9  0x0000000006c8aad8 in _cairo_surface_stroke (surface=0x12461730,
op=CAIRO_OPERATOR_OVER, source=0x7fefff240, path=0x1245f538,
stroke_style=0x7fefff210, ctm=0x12464a40, ctm_inverse=0x12464a70,
tolerance=0.10000000000000001, 
    antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at cairo-surface.c:2210
#10 0x0000000006c33fd3 in _cairo_gstate_stroke (gstate=0x12464950,
path=0x1245f538) at cairo-gstate.c:1185
#11 0x0000000006c2dbad in _cairo_default_context_stroke
(abstract_cr=0x1245f1d0) at cairo-default-context.c:1013
#12 0x0000000006c225e5 in INT_cairo_stroke (cr=0x1245f1d0) at cairo.c:2146
#13 0x0000000004e5ae8e in rsvg_cairo_render_path (ctx=0x12463af0,
path=<optimized out>) at rsvg-cairo-draw.c:549</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>