[cairo-commit] src/cairo-bentley-ottmann-rectangular.c
Chris Wilson
ickle at kemper.freedesktop.org
Mon Feb 22 06:34:11 PST 2010
src/cairo-bentley-ottmann-rectangular.c | 6 ++++++
1 file changed, 6 insertions(+)
New commits:
commit 9f46bad301eff967dc0790fc271d872f8a45cedb
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date: Mon Feb 22 14:20:34 2010 +0000
bo-rectangular: Prevent invalid read during edge traversal
Benjamin Otte tracked down an invalid read triggered by WebKit. The
cause is that we attempt to dereference the list_head as an edge as we
failed to check that during the skipping of colinear edges we advanced
to the end, under the false assumption that there would always
be a closing edge in a rectangle. This assumption is broken if the tail
rectangles having colinear right edges.
diff --git a/src/cairo-bentley-ottmann-rectangular.c b/src/cairo-bentley-ottmann-rectangular.c
index ce4e01f..736762e 100644
--- a/src/cairo-bentley-ottmann-rectangular.c
+++ b/src/cairo-bentley-ottmann-rectangular.c
@@ -422,6 +422,9 @@ active_edges_to_traps (sweep_line_t *sweep,
winding += right->dir;
if (winding == 0) {
+ if (right->next == &sweep->tail)
+ break;
+
/* skip co-linear edges */
if (likely (right->x != right->next->x))
break;
@@ -450,6 +453,9 @@ active_edges_to_traps (sweep_line_t *sweep,
right, top, do_traps, container);
}
+ if (pos == &sweep->tail)
+ break;
+
/* skip co-linear edges */
if (right->x != pos->x)
break;
More information about the cairo-commit
mailing list