[cairo-commit] 2 commits - src/cairo-xlib-display.c src/cairo-xlib-private.h

Uli Schlachter psychon at kemper.freedesktop.org
Thu Oct 3 12:04:38 PDT 2013

 src/cairo-xlib-display.c |    6 ------
 src/cairo-xlib-private.h |    2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

New commits:
commit 49366c5e9e7d5afd0daef4c53a41472e020145eb
Author: Uli Schlachter <psychon at znc.in>
Date:   Thu Oct 3 17:53:34 2013 +0200

    cairo-xlib: Fix out of bounds array access in format cache
    The cairo-xlib backend maintains a mapping form cairo_format_t to xrender
    formats. This is done via an array. The size of this array is
    CAIRO_FORMAT_RGB16_565 + 1 which evaluates to 5.
    However, CAIRO_FORMAT_RGB30 has the numeric value 5, too. Thus, using this value
    as an index into the array would actually read the following force_precision
    field from cairo_xlib_display_t.
    This could be triggered by passing CAIRO_FORMAT_RGB30 to
    _cairo_xlib_display_get_xrender_format(). From a quick look, I didn't find any
    code which would allow doing this, but neither did I find anything allowing
    CAIRO_FORMAT_RGB16_565, so it's better to handle this correctly than assert()ing
    for this to never happen.
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-xlib-private.h b/src/cairo-xlib-private.h
index 4fd725f..822c85b 100644
--- a/src/cairo-xlib-private.h
+++ b/src/cairo-xlib-private.h
@@ -81,7 +81,7 @@ struct _cairo_xlib_display {
     int render_major;
     int render_minor;
-    XRenderPictFormat *cached_xrender_formats[CAIRO_FORMAT_RGB16_565 + 1];
+    XRenderPictFormat *cached_xrender_formats[CAIRO_FORMAT_RGB30 + 1];
     int force_precision;
commit 217bed84dda43f018e59a4d9a229f63095e1aa06
Author: Uli Schlachter <psychon at znc.in>
Date:   Thu Oct 3 17:44:27 2013 +0200

    Revert "[xlib] Fast-path the likely case of retrieving a known xrender_format"
    This reverts commit 09a2b2ed3189fe12483cbd673c24ceddc2c20f3f.
    Back in 2009, _cairo_xlib_display_get_xrender_format() had to acquire a lock to
    do its job. The above commit added a fast-path which avoided the lock in most
    However, in 2010 commit f74ad37e66bbdcc4d727ed6d931dde870d84c2f4 modified the
    locking in the cairo-xlib backend and now this function never takes any locks.
    Thus, the fast-path that was added a year earlier now just does the same thing
    that the regular code does and the list of cached formats was checked twice.
    Reverting the earlier commit fixes this.
    Signed-off-by: Uli Schlachter <psychon at znc.in>

diff --git a/src/cairo-xlib-display.c b/src/cairo-xlib-display.c
index c505db4..4933961 100644
--- a/src/cairo-xlib-display.c
+++ b/src/cairo-xlib-display.c
@@ -491,12 +491,6 @@ _cairo_xlib_display_get_xrender_format (cairo_xlib_display_t	*display,
     XRenderPictFormat *xrender_format;
-    xrender_format = display->cached_xrender_formats[format];
-    if (likely (xrender_format != NULL))
-	return xrender_format;
     xrender_format = display->cached_xrender_formats[format];
     if (xrender_format == NULL) {
 	int pict_format = PictStandardNUM;

More information about the cairo-commit mailing list