Hi, Thanks for the updated patches. They both look good. Unfortunately, in order to get the 0.32.0 release out with the trapezoid issue fixed, I already pushed some similar patches a couple of weeks ago:
http://cgit.freedesktop.org/pixman/commit/?id=2f876cf86718d3dd9b3b04ae9552530edafe58a1 http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c Søren Ritesh Khadgaray <[email protected]> writes: > From: Ritesh Khadgaray <[email protected]> > > This test will create a trapezoid with an invalid bottom , where > subtracting bottom from top will result in a value less than MIN_INT, > leading to underflow error. > > (int)((t)->bottom - (t)->top) > 0 > > This leads to invalid memory read/write and a crash. > --- > test/trap-crasher.c | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > > diff --git a/test/trap-crasher.c b/test/trap-crasher.c > index 4e4cac2..c1162fd 100644 > --- a/test/trap-crasher.c > +++ b/test/trap-crasher.c > @@ -5,7 +5,7 @@ int > main() > { > pixman_image_t *dst; > - pixman_trapezoid_t traps[1] = { > + pixman_trapezoid_t traps[2] = { > { > 2147483646, > 2147483647, > @@ -18,6 +18,23 @@ main() > { 0, 2147483647 } > } > }, > + > + /* fdo bug #67484 - Corrupted CustomShape crashes Xorg > + subtracting t->top from t->bottom wraps around MIN_INT > + and an invalid trap, followed by crash > + */ > + { > + 32768, > + -2147483647, > + { > + { 0, 0 }, > + { 0, 2147483647 } > + }, > + { > + { 65536, 0 }, > + { 0, 2147483647 } > + } > + }, > }; > > dst = pixman_image_create_bits (PIXMAN_a8, 1, 1, NULL, -1); _______________________________________________ Pixman mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/pixman
