Hello, The patch below intends to fix an arithmetic overflow occurring in a pointer arithmetic context in ‘general_composite_rect’, as explained at:
https://bugs.freedesktop.org/show_bug.cgi?id=92027#c6 The bug can most likely lead to a crash. In a preliminary review, Siarhei Siamashka notes that ‘width + 1’ is insufficient to take 16-byte alignment constraints into account. Indeed, AFAICS, it is sufficient when Bpp == 16 but probably not when Bpp == 4. Siarhei also suggests that more rewriting in needed in that part of the code, but I’ll leave that to you. ;-) Thanks, Ludo’.
Fix <https://bugs.freedesktop.org/show_bug.cgi?id=92027> whereby an arithemitic overflow could occur while doing pointer arithmetic, leading pixman to use an invalid address as the destination buffer. --- pixman-0.32.6/pixman/pixman-general.c 2015-09-21 15:14:34.695981325 +0200 +++ pixman-0.32.6/pixman/pixman-general.c 2015-09-21 15:19:48.898355548 +0200 @@ -144,8 +144,7 @@ general_composite_rect (pixman_implemen mask_buffer = ALIGN (src_buffer + width * Bpp); dest_buffer = ALIGN (mask_buffer + width * Bpp); - if (ALIGN (dest_buffer + width * Bpp) > - scanline_buffer + sizeof (stack_scanline_buffer)) + if ((width + 1) * Bpp * 3 > sizeof (stack_scanline_buffer)) { scanline_buffer = pixman_malloc_ab_plus_c (width, Bpp * 3, 32 * 3);
_______________________________________________ Pixman mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/pixman
