[cairo-bugs] [Bug 84952] New: [PATCH] Recording surface ink extents: difference between two fixed point numbers may overflow before conversion to double

Sun Oct 12 23:35:39 PDT 2014

https://bugs.freedesktop.org/show_bug.cgi?id=84952

            Bug ID: 84952
           Summary: [PATCH] Recording surface ink extents: difference
                    between two fixed point numbers may overflow before
                    conversion to double
           Product: cairo
           Version: 1.12.16
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: general
          Assignee: chris at chris-wilson.co.uk
          Reporter: cmantunes at gmail.com
        QA Contact: cairo-bugs at cairographics.org

Created attachment 107759
  --> https://bugs.freedesktop.org/attachment.cgi?id=107759&action=edit
Patch fixes fixed-point overflow bug on recording-surface

Recording surface may return incorrect result for ink extents when, for
example, it is created unbounded. This is due to a bug in the conversion of a
difference from fixed to floating point. The code for
cairo_recording_surface_ink_extents reads at some point:

*width = _cairo_fixed_to_double (bbox.p2.x - bbox.p1.x);
*height = _cairo_fixed_to_double (bbox.p2.y - bbox.p1.y);

The "solution" (short of getting rid of fixed point altogether) is to change
this to:

*width = _cairo_fixed_to_double (bbox.p2.x) - _cairo_fixed_to_double
(bbox.p1.x);
*height = _cairo_fixed_to_double (bbox.p2.y) - _cairo_fixed_to_double
(bbox.p1.y);

This was tested on MSYS2/MinGW64 and indeed it works as expected.

Attached, you'll find the simple patch. It works against 1.12.16 but the bug is
still present on HEAD.

Thanks!

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20141013/2df19949/attachment.html>