From 832e50c00099bafa5e231cea146e82fb5328753b Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 6 Nov 2015 17:17:00 +0100 Subject: polygon-intersection: fix segfault in active_edges Current code uses pointer obtained by right->next without verifying. The obvious result is a crash, depending on the input. Catch NULL pointer and exit loop gracefully. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=59098 Signed-off-by: Olaf Hering --- src/cairo-polygon-intersect.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/cairo-polygon-intersect.c b/src/cairo-polygon-intersect.c index 8cb8fb1..0a98da3 100644 --- a/src/cairo-polygon-intersect.c +++ b/src/cairo-polygon-intersect.c @@ -1107,8 +1107,6 @@ edges_start_or_continue (cairo_bo_edge_t *left, int top, cairo_polygon_t *polygon) { - assert (right->deferred.other == NULL); - if (left->deferred.other == right) return; @@ -1178,10 +1176,12 @@ active_edges (cairo_bo_edge_t *left, } right = right->next; - } while (1); + } while (right); edges_start_or_continue (left, right, top, polygon); + if (!right) + break; left = right->next; } }