[cairo] Crash bug in cairo-quartz-surface.c
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Dec 5 16:11:11 PST 2007
I just ran into a crash in ComputeGradientValue in cairo-quartz-surface.c. In
particular, the caller passes in an empty gradient (grad->n_stops == 0).
The relevant part of the code looks like this:
for (i = 0; i < grad->n_stops; i++) {
if (grad->stops[i].x > fdist_fix)
break;
}
if (i == 0 || i == grad->n_stops) {
if (i == grad->n_stops)
--i;
out[0] = grad->stops[i].color.red;
When n_stops is 0, we end up with i == 0 after the first loop, then i ==
grad->n_stops, so we decrement i. i is declared as unsigned int, so we end up
accessing grad->stops[0xffffffff] and crash. Of course if it were a signed int
we'd be accessing grad->stops[-1] which isn't so much better....
I'm not sure what this function should be doing if it gets a gradient with no
stops or whether it should just not be called at all... The callstack is:
ComputeGradientValue
CGFunctionEvaluate
drawAxialShading
CGContextDrawShading
_cairo_quartz_surface_fill
-Boris
More information about the cairo
mailing list