[cairo-bugs] [Bug 75705] "double free or corruption" error appeares while i try to draw dotted line
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Mar 3 11:01:27 PST 2014
https://bugs.freedesktop.org/show_bug.cgi?id=75705
--- Comment #1 from Uli Schlachter <psychon at znc.in> ---
Created attachment 95052
--> https://bugs.freedesktop.org/attachment.cgi?id=95052&action=edit
Patch adding two printfs calls highlighting the cause for the heap corruption
With the attached patch and running the test program under valgrind, we get the
following output:
converter->spans allocated array of size 71
Using index 71
==15967== Invalid write of size 4
==15967== at 0x4ED51E6: _cairo_tor22_scan_converter_generate
(cairo-tor22-scan-converter.c:1443)
==15967== by 0x4EC14BF: clip_and_composite_polygon
(cairo-spans-compositor.c:801)
==15967== by 0x4EC2106: _cairo_spans_compositor_stroke
(cairo-spans-compositor.c:1083)
==15967== by 0x4E61EFB: _cairo_compositor_stroke.part.0
(cairo-compositor.c:157)
[...]
==15967== Address 0x8333638 is 0 bytes after a block of size 568 alloc'd
[...]
index used
So the tor22 scan converter reads one entry behind the converter's spans array.
Figuring out why this happens, turning this into a unit test for the test suite
and checking if the other scan converters are affected, too, is left as an
excercise for someone who knows more about this code.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20140303/e142246d/attachment.html>
More information about the cairo-bugs
mailing list