From 3ae9d04c6ddd311ffab91170fb9342e37c5530a8 Mon Sep 17 00:00:00 2001 From: M Joonas Pihlaja Date: Fri, 1 Jan 2010 20:13:33 +0200 Subject: [PATCH] [stroker] Fix off-by-one memory allocation in _tessellate_fan(). The number of points in a triangle fan was miscomputed because it was computing the number of line segments rather than points in the fan. Now we include the final point of the fan correctly in the count. This fixes https://bugs.webkit.org/show_bug.cgi?id=33071 as reported by Benjamin Otte. A derived test case was not added to the cairo test suite since the bug is difficult to trigger in a reliable way which causes visible results (as opposed to silent heap corruption.) The easiest way of triggering the bug is to stroke a line using a large line width and round caps or joins. --- src/cairo-path-stroke.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cairo-path-stroke.c b/src/cairo-path-stroke.c index 272045a87..6e1986a97 100644 --- a/src/cairo-path-stroke.c +++ b/src/cairo-path-stroke.c @@ -346,7 +346,7 @@ _tessellate_fan (cairo_stroker_t *stroker, if (npoints < 0) npoints += stroker->pen.num_vertices; - npoints += 2; + npoints += 3; if (npoints <= 1) goto BEVEL;