From 91113a9e4583fac275cc0fa01fc957abd9b7dc0e Mon Sep 17 00:00:00 2001
From: Chuanbo Weng <strgnm@gmail.com>
Date: Tue, 13 Mar 2012 11:19:23 +0000
Subject: [PATCH] subsurface: Avoid potential crash when subsurface's size is
 less than 0

When cairo_surface_create_for_rectangle() is given non-integer parameters,
the subsurface's size may be negative(e.g x = 0.2, width = 0.7, the
final width will be -1). This illegal surface may cause crash somewhere
upon later use, and although the fractional subsurface is ill-defined,
we should never crash!
---
 src/cairo-surface-subsurface.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/cairo-surface-subsurface.c b/src/cairo-surface-subsurface.c
index 8590bf0ca..071dd75be 100644
--- a/src/cairo-surface-subsurface.c
+++ b/src/cairo-surface-subsurface.c
@@ -461,6 +461,9 @@ cairo_surface_create_for_rectangle (cairo_surface_t *target,
 {
     cairo_surface_subsurface_t *surface;
 
+    if (unlikely (width < 0 || height < 0))
+	return _cairo_surface_create_in_error (_cairo_error (CAIRO_STATUS_INVALID_SIZE));
+
     if (unlikely (target->status))
 	return _cairo_surface_create_in_error (target->status);
     if (unlikely (target->finished))
@@ -484,6 +487,8 @@ cairo_surface_create_for_rectangle (cairo_surface_t *target,
     surface->extents.y = ceil (y);
     surface->extents.width = floor (x + width) - surface->extents.x;
     surface->extents.height = floor (y + height) - surface->extents.y;
+    if ((surface->extents.width | surface->extents.height) < 0)
+	surface->extents.width = surface->extents.height = 0;
 
     if (target->backend->type == CAIRO_SURFACE_TYPE_SUBSURFACE) {
 	/* Maintain subsurfaces as 1-depth */