From 691ba9daf22d7454787e86158992562d87094ed2 Mon Sep 17 00:00:00 2001 From: Federico Mena Quintero Date: Mon, 20 Apr 2015 16:29:07 -0500 Subject: [PATCH] cairo-image-compositor: validate coordinates passed to pixman_fill() Cairo's problems with handling big coordinates mean that sometimes we end up passing invalid values to pixman_fill(), which does not validate its arguments. For now, we check that the coordinates we pass within the image buffer are nonnegative. See https://bugzilla.gnome.org/show_bug.cgi?id=744391 for the librsvg bug that started this. Signed-off-by: Federico Mena Quintero --- src/cairo-image-compositor.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c index 48072f8..18a9d61 100644 --- a/src/cairo-image-compositor.c +++ b/src/cairo-image-compositor.c @@ -347,10 +347,12 @@ fill_boxes (void *_dst, int y = _cairo_fixed_integer_part (chunk->base[i].p1.y); int w = _cairo_fixed_integer_part (chunk->base[i].p2.x) - x; int h = _cairo_fixed_integer_part (chunk->base[i].p2.y) - y; - pixman_fill ((uint32_t *) dst->data, - dst->stride / sizeof (uint32_t), - PIXMAN_FORMAT_BPP (dst->pixman_format), - x, y, w, h, pixel); + + if (x >= 0 && y >= 0 && w > 0 && h > 0) + pixman_fill ((uint32_t *) dst->data, + dst->stride / sizeof (uint32_t), + PIXMAN_FORMAT_BPP (dst->pixman_format), + x, y, w, h, pixel); } } } -- 1.8.4.5