[cairo] Bug: Crash in cairo-1.9.8

Chris Wilson chris at chris-wilson.co.uk
Thu Jun 17 01:37:00 PDT 2010


On Wed, 16 Jun 2010 21:31:00 -0400, cu <cairouser at yahoo.com> wrote:
> I think I found it:
> 
> In cairo-rectangular-scan-converter.c:337
>    if (y == rectangle->bottom_y) {
>        height = rectangle->bottom & CAIRO_FIXED_FRAC_MASK;
>        if (height == 0)
>       continue;
>    } else
>        height = CAIRO_FIXED_ONE;
>    if (y == rectangle->top_y)
>        height -= rectangle->top & CAIRO_FIXED_FRAC_MASK;
>    height *= rectangle->dir;

Yikes, an unrelated bug also fixed by Andrea's correction to remove the
unexpected unsignage of FRAC_MASK. However, the values here are expected
to be all positive (and your bug doesn't even go near this code path),
as the input is clipped to the surface.

The bug was simply one path was using round() to check if the trapezoids
were boxes and a later path used round_down() to finally convert the boxes
into pixels, so causing us to attempt to fill from row 0 to -1.

I think this is the fix for mishandling your path:

commit 36b4b0631cc220d01c411b596a4eef839338cd7c
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Thu Jun 17 08:50:31 2010 +0100

    image: Use consistent rounding modes for a1 rasterisation.
    
    When checking if the traps are equivalent to a set of rectangles, we
    need to use the same rounding mode as when converting the traps to a set
    of boxes and then filling them. Failure to do leads to a situation where
    (-127,-128) was thought to be equivalent to (0,0) but we attempted to
    fill from 0 to -1 instead.


Thank you and Bill for the bug report and investigating. That unsigned
promotion would have lived for quite some time causing very subtle
crashes!
-ickle

-- 
Chris Wilson, Intel Open Source Technology Centre


More information about the cairo mailing list