fdo-mirrors/cairo
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/cairo/cairo.git synced 2026-04-19 03:10:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

bo-rectangular: Prevent invalid read during edge traversal

Browse source 
Benjamin Otte tracked down an invalid read triggered by WebKit. The
cause is that we attempt to dereference the list_head as an edge as we
failed to check that during the skipping of colinear edges we advanced
to the end, under the false assumption that there would always
be a closing edge in a rectangle. This assumption is broken if the tail
rectangles having colinear right edges.
This commit is contained in:
Chris Wilson 2010-02-22 14:20:34 +00:00
parent 75db4f0ece
commit 9f46bad301
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/cairo-bentley-ottmann-rectangular.c
View file

@ -422,6 +422,9 @@ active_edges_to_traps (sweep_line_t *sweep,
winding += right->dir;
if (winding == 0) {
if (right->next == &sweep->tail)
break;
/* skip co-linear edges */
if (likely (right->x != right->next->x))
break;
@ -450,6 +453,9 @@ active_edges_to_traps (sweep_line_t *sweep,
right, top, do_traps, container);
}
if (pos == &sweep->tail)
break;
/* skip co-linear edges */
if (right->x != pos->x)
break;