[cairo] [Cairo][PATCH] _mono_scan_converter_init() : Fix array size in Mono scan converter

조성원 seongwon1.cho at samsung.com
Wed Feb 29 03:42:20 PST 2012 

I am so sorry but I can't send email directly by "git format-patch" or "git send-email" because of security issue.
Please find attached patch file.
If this email is not correspond with your requirement I will send again with my private e-mail.

Thanks.


From d16f50507a96b714b726880ad49c9dbdccbe67f8 Mon Sep 17 00:00:00 2001
From: Seongwon Cho <seongwon1.cho at samsung.com>
Date: Wed, 29 Feb 2012 18:59:34 +0900
Subject: [PATCH] Array size should be fixed in Mono scan converter  - Crash
 might be occurred  - In tor scan converter same problem is
 fixed    (e8dd13c8fa39c1e3118a4f197ee8865237be7e09)

Reviewed-by: Zhigang Gong <zhigang.gong at linux.intel.com>
---
 src/cairo-mono-scan-converter.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/cairo-mono-scan-converter.c b/src/cairo-mono-scan-converter.c
index a617f48..106f801 100644
--- a/src/cairo-mono-scan-converter.c
+++ b/src/cairo-mono-scan-converter.c
@@ -390,13 +390,15 @@ _mono_scan_converter_init(struct mono_scan_converter *c,
 			  int xmax, int ymax)
 {
     cairo_status_t status;
+    int max_num_spans;
 
     status = polygon_init (c->polygon, ymin, ymax);
     if  (unlikely (status))
 	return status;
 
-    if (xmax - xmin > ARRAY_LENGTH(c->spans_embedded)) {
-	c->spans = _cairo_malloc_ab (xmax - xmin,
+    max_num_spans = xmax - xmin + 1;
+    if (max_num_spans > ARRAY_LENGTH(c->spans_embedded)) {
+	c->spans = _cairo_malloc_ab (max_num_spans,
 				     sizeof (cairo_half_open_span_t));
 	if (unlikely (c->spans == NULL)) {
 	    polygon_fini (c->polygon);
-- 
1.7.5.4


------- Original Message -------
Sender : Chris Wilson<chris at chris-wilson.co.uk>
Date : 2012-02-29 19:34 (GMT+09:00)
Title : Re: [cairo] [Cairo][PATCH] _mono_scan_converter_init() : Fix array size in Mono scan converter

On Wed, 29 Feb 2012 10:15:42 +0000 (GMT), SeongWon Cho wrote:
Non-text part: text/html

Please use "git format-patch" or "git send-email" to send patches as plain
text rather than HTML.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Array-size-should-be-fixed-in-Mono-scan-converter.patch
Type: application/octet-stream
Size: 1326 bytes
Desc: not available
URL: <http://lists.cairographics.org/archives/cairo/attachments/20120229/1779c154/attachment-0001.obj>

More information about the cairo mailing list