[cairo-commit] src/cairo-xlib-surface.c

[Chris Wilson]

 src/cairo-xlib-surface.c |   27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

New commits:
commit 67d40e5c7300c4082484dbda5c81808737bb2ac5
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Sun Sep 6 10:17:40 2009 +0100

    [xlib] Protect ourselves from liars that claim to have a 64k window
    
    Found using webkit, who attempt to paint an width X page height window.
    Please, please clip large windows to the visible area. Thanks.

diff --git a/src/cairo-xlib-surface.c b/src/cairo-xlib-surface.c
index a8507ff..375c660 100644
--- a/src/cairo-xlib-surface.c
+++ b/src/cairo-xlib-surface.c
@@ -3063,6 +3063,11 @@ cairo_xlib_surface_create (Display     *dpy,
     cairo_surface_t *surface;
     cairo_status_t status;
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX) {
+	/* you're lying, and you know it! */
+	return _cairo_surface_create_in_error (CAIRO_STATUS_INVALID_SIZE);
+    }
+
     scr = _cairo_xlib_screen_from_visual (dpy, visual);
     if (scr == NULL)
 	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_INVALID_VISUAL));
@@ -3104,6 +3109,9 @@ cairo_xlib_surface_create_for_bitmap (Display  *dpy,
     cairo_surface_t *surface;
     cairo_status_t status;
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX)
+	return _cairo_surface_create_in_error (CAIRO_STATUS_INVALID_SIZE);
+
     status = _cairo_xlib_screen_get (dpy, scr, &screen);
     if (unlikely (status))
 	return _cairo_surface_create_in_error (status);
@@ -3149,6 +3157,9 @@ cairo_xlib_surface_create_with_xrender_format (Display		    *dpy,
     cairo_surface_t *surface;
     cairo_status_t status;
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX)
+	return _cairo_surface_create_in_error (CAIRO_STATUS_INVALID_SIZE);
+
     status = _cairo_xlib_screen_get (dpy, scr, &screen);
     if (unlikely (status))
 	return _cairo_surface_create_in_error (status);
@@ -3222,6 +3233,12 @@ cairo_xlib_surface_set_size (cairo_surface_t *abstract_surface,
 	return;
     }
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX) {
+	status = _cairo_surface_set_error (abstract_surface,
+		                           CAIRO_STATUS_INVALID_SIZE);
+	return;
+    }
+
     surface->width = width;
     surface->height = height;
 }
@@ -3254,6 +3271,12 @@ cairo_xlib_surface_set_drawable (cairo_surface_t   *abstract_surface,
 	return;
     }
 
+    if (width > XLIB_COORD_MAX || height > XLIB_COORD_MAX) {
+	status = _cairo_surface_set_error (abstract_surface,
+		                           CAIRO_STATUS_INVALID_SIZE);
+	return;
+    }
+
     /* XXX: and what about this case? */
     if (surface->owns_pixmap)
 	return;
@@ -3423,7 +3446,7 @@ cairo_xlib_surface_get_width (cairo_surface_t *abstract_surface)
 
     if (! _cairo_surface_is_xlib (abstract_surface)) {
 	_cairo_error_throw (CAIRO_STATUS_SURFACE_TYPE_MISMATCH);
-	return -1;
+	return 0;
     }
 
     return surface->width;
@@ -3446,7 +3469,7 @@ cairo_xlib_surface_get_height (cairo_surface_t *abstract_surface)
 
     if (! _cairo_surface_is_xlib (abstract_surface)) {
 	_cairo_error_throw (CAIRO_STATUS_SURFACE_TYPE_MISMATCH);
-	return -1;
+	return 0;
     }
 
     return surface->height;