From: Ritesh Khadgaray <[email protected]>
This test will create a trapezoid with an invalid bottom , where subtracting
bottom from top
will result in a value less than MIN_INT, leading to underflow error.
(int)((t)->bottom - (t)->top) > 0
This leads to invalid memory read/write and a crash.
---
test/trap-crasher.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/test/trap-crasher.c b/test/trap-crasher.c
index 4e4cac2..c1162fd 100644
--- a/test/trap-crasher.c
+++ b/test/trap-crasher.c
@@ -5,7 +5,7 @@ int
main()
{
pixman_image_t *dst;
- pixman_trapezoid_t traps[1] = {
+ pixman_trapezoid_t traps[2] = {
{
2147483646,
2147483647,
@@ -18,6 +18,23 @@ main()
{ 0, 2147483647 }
}
},
+
+ /* fdo bug #67484 - Corrupted CustomShape crashes Xorg
+ subtracting t->top from t->bottom wraps around MIN_INT
+ and an invalid trap, followed by crash
+ */
+ {
+ 32768,
+ -2147483647,
+ {
+ { 0, 0 },
+ { 0, 2147483647 }
+ },
+ {
+ { 65536, 0 },
+ { 0, 2147483647 }
+ }
+ },
};
dst = pixman_image_create_bits (PIXMAN_a8, 1, 1, NULL, -1);
--
1.8.3.2
_______________________________________________
Pixman mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/pixman
