[cairo-bugs] [Bug 90120] Image compositor can pass invalid coordinates to pixman_fill()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Apr 22 23:58:32 PDT 2015


--- Comment #9 from Chris Wilson <chris at chris-wilson.co.uk> ---
(In reply to Federico Mena-Quintero from comment #8)
> (In reply to Chris Wilson from comment #7)
> > Created attachment 115240 [details] [review] [review]
> > Preliminary stroke validation
> This is really nice!  It fixes the problem very cleanly - valgrind shows no
> problems with the fuzzed file.
> (And thanks for making me aware of CAIRO_STATUS_INVALID_SIZE; hopefully
> we'll have a lot more of it in the future :)

If we start doing this, we should pick a new error status stg

> Chris, since you just put your foot into the rabbit hole :)  May I interest
> you in another fixed-point overflow thing?  This goes back to the old bugs
> #20091 and #39096.  Using this fuzzed svg
> <svg>
>   <defs>
>     <clipPath id="clipper">
>       <rect y="19" width="2" height="2" />
>       <rect width="18446744073709551616" height="29" />
>     </clipPath>
>   </defs>
>   <g clip-path="url(#clipper)">
>     <g clip-path="url(#clipper)">
>     </g>
>   </g>
> </svg>
> with rsvg-view-3 and valigrind produces...

The error is in the stage before not successfully generating a watertight
clipped polygon. It's one of those impossible conditions since it is only meant
to output pairs of edges, but the error you see later on is when you find an
edge with no pair.

You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cairographics.org/archives/cairo-bugs/attachments/20150423/fccd9c48/attachment.html>

More information about the cairo-bugs mailing list