[cairo-commit] src/cairo-image-compositor.c
Bryce Harrington
bryce at kemper.freedesktop.org
Fri Dec 5 19:16:46 PST 2014
src/cairo-image-compositor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 5c82d91a5e15d29b1489dcb413b24ee7fdf59934
Author: Bryce Harrington <bryce at osg.samsung.com>
Date: Wed Dec 3 19:28:15 2014 -0800
image: Fix crash in _fill_xrgb32_lerp_opaque_spans
If a span length is negative don't go out of bounds processing the fill
data.
Patch thanks to Ilya Sakhnenko <ilia.softway at gmail.com> on mailing list.
Signed-off-by: Bryce Harrington <bryce at osg.samsung.com>
diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
index 6ff0f09..48072f8 100644
--- a/src/cairo-image-compositor.c
+++ b/src/cairo-image-compositor.c
@@ -2242,10 +2242,10 @@ _fill_xrgb32_lerp_opaque_spans (void *abstract_renderer, int y, int h,
spans[0].x, y, len, 1, r->u.fill.pixel);
} else {
uint32_t *d = (uint32_t*)(r->u.fill.data + r->u.fill.stride*y + spans[0].x*4);
- while (len--)
+ while (len-- > 0)
*d++ = r->u.fill.pixel;
}
- } else while (len--) {
+ } else while (len-- > 0) {
*d = lerp8x4 (r->u.fill.pixel, a, *d);
d++;
}
More information about the cairo-commit
mailing list