XRenderCreateLinearGradient, XRenderCreateRadialGradient and XRenderCreateConicalGradient functions in Picture.c adds the color stop length after adding the color stop data. If the color stop data exceeds the output buffer, the request will be sent to the server with an incorrect length field. Simply adding the color stop length before sending the color stop data will fix this issue. This bug affects any client using gradient pictures. Clients that use a version of libXrender without this fixed can workaround the issue by flushing the output buffer just before creating a gradient picture. The current code is also not handling the case where the number of color stops is so great that a "Big Request" is required. Using SetReqLen to set the length field instead of manually incrementing it will take care of this. I'm attaching a patch that will fix both issues. Can I commit this patch and increment the version number to 0.9.3?
Created attachment 8281 [details] [review] Properly set length field in gradient requests
Sorry about the phenomenal bug spam, guys. Adding xorg-team@ to the QA contact so bugs don't get lost in future.
David, looks like the right fix to me, please apply and make a 0.9.3 release.
done.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.