From 832e50c00099bafa5e231cea146e82fb5328753b Mon Sep 17 00:00:00 2001
From: Olaf Hering <olaf@aepfle.de>
Date: Fri, 6 Nov 2015 17:17:00 +0100
Subject: polygon-intersection: fix segfault in active_edges

Current code uses pointer obtained by right->next without verifying.
The obvious result is a crash, depending on the input. Catch NULL
pointer and exit loop gracefully.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=59098

Signed-off-by: Olaf Hering <olaf@aepfle.de>
---
 src/cairo-polygon-intersect.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/cairo-polygon-intersect.c b/src/cairo-polygon-intersect.c
index 8cb8fb1..0a98da3 100644
--- a/src/cairo-polygon-intersect.c
+++ b/src/cairo-polygon-intersect.c
@@ -1107,8 +1107,6 @@ edges_start_or_continue (cairo_bo_edge_t	*left,
 			 int			 top,
 			 cairo_polygon_t	*polygon)
 {
-    assert (right->deferred.other == NULL);
-
     if (left->deferred.other == right)
 	return;
 
@@ -1178,10 +1176,12 @@ active_edges (cairo_bo_edge_t		*left,
 		}
 
 		right = right->next;
-	    } while (1);
+	    } while (right);
 
 	    edges_start_or_continue (left, right, top, polygon);
 
+	    if (!right)
+		break;
 	    left = right->next;
 	}
 }