From dfe3aa6d88ad548b729cf8e5b5ff9d80fbb0e412 Mon Sep 17 00:00:00 2001 From: Antony Lee Date: Mon, 11 Feb 2019 08:48:56 +0100 Subject: [PATCH] Fix off-by-one bug in tor22-scan-converter. This makes the implementation in tor22-scan-converter match the one in tor-scan-converter. --- src/cairo-tor22-scan-converter.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/cairo-tor22-scan-converter.c b/src/cairo-tor22-scan-converter.c index bf44742b0..79c858e4e 100644 --- a/src/cairo-tor22-scan-converter.c +++ b/src/cairo-tor22-scan-converter.c @@ -1287,12 +1287,15 @@ glitter_scan_converter_reset( int xmax, int ymax) { glitter_status_t status; + int max_num_spans; converter->xmin = 0; converter->xmax = 0; converter->ymin = 0; converter->ymax = 0; - if (xmax - xmin > ARRAY_LENGTH(converter->spans_embedded)) { - converter->spans = _cairo_malloc_ab (xmax - xmin, + max_num_spans = xmax - xmin + 1; + + if (max_num_spans > ARRAY_LENGTH(converter->spans_embedded)) { + converter->spans = _cairo_malloc_ab (max_num_spans, sizeof (cairo_half_open_span_t)); if (unlikely (converter->spans == NULL)) return _cairo_error (CAIRO_STATUS_NO_MEMORY);